" phishing Archives - Page 4 of 4 - LuxSci

Posts Tagged ‘phishing’

Phishing or for Real? Why Companies Need to Take a Closer Look at Their Email Marketing

Friday, April 7th, 2017

 

In July 2016, Hilton HHonors loyalty program members received an email asking them to log into their Hilton HHonors account to confirm their correct email address, mailing address, and other personal details.

The email set off alarm bells for a number of customers. One tweeted a screenshot of the email to the Hilton HHonors Twitter account, asking, “… is this legit? Looks very much like a phishing email…”Phishing

Hilton’s support team responded, “This is not an email from the HHonors team. Please do not share your account details.”

The only problem? It was a legitimate email from Hilton HHonors, but it so closely resembled a phishing email it fooled Hilton’s own IT team.

Hilton is not the only company to inadvertently send customer emails that are nearly indistinguishable from phishing emails. Many companies send emails asking their customers to log in to confirm account information or confirm payment details. Sometimes, cautious customers will reach out to the digital community for feedback on whether an email is real or fake.

These emails are a problem because not only do customers believe them to be phishing emails, but they normalize emails that ask for personal information—making people more vulnerable to real phishing scams in the future.

Marketers need to understand email marketing best practices to send secure customer messages that don’t endanger customer privacy and data. Here’s everything you need to know from a technical and content perspective to make sure your email isn’t mistaken for a phishing scam.

Read the rest of this post »

Analyzing a Forged Email Message: How to Tell It Was Forged?

Monday, February 9th, 2015

In our previous posting, we looked at exactly how Spammers and hackers can send forged email — how its is possible and how it is done.  Therein, we gave an example how one could send an email forged to be from Bank of America.

In this post, we will look at that forged Bank of America email to see technically what it looks like and how it differs from legitimate email from Bank of America.

What can we learn that allows us to detect forged email in the future?

The Forgery: Received.

The forged email from Bank of America was based on a legitimate email message, so that the forgery could look as close as possible to actual email from them.

In truth, the majority of forged email simply changes the “From” address and does not bother with anything else.  These forged messages are used for Spam and hope the forgery fools enough people to be worth it, through numbers.  What we are looking at here is a more carefully crafted message designed to fool filters and a careful eye.  These kinds of fakes might be used in spear phishing attacks on an individual or in more sophisticated Spam campaigns.

The the forged Bank of America email that arrived in the recipient’s mail box looked like this (the raw headers):

Read the rest of this post »

How can Spammers and Hackers Send Forged Email?

Thursday, February 5th, 2015

Everyone has seen spam messages arrive with a “From” address that is your own address, a colleague’s, a friends, or that of some company that you work with or use.  These From addresses are forged to help the messages (a) get by your spam filters, and (b) get by your “eyeball filters”.

But how are these folks “allowed” to do that?

When email was first developed, there was no concept of the need for security; protections against identity theft and forgery were not part of the plan.  As a result, it is actually trivial for one to send an email with a forged “From” address and even some forged “Received” tracking lines by just connecting to your target’s email server and telling it whatever you want.

Let’s try to send an email to the address “testuser@luxsci.net” pretending to be from “Bank of America”.  The purpose of this exercise is not to teach you how to send forged email so much (this is not a new technique) as to set the stage for understanding how to detect and combat these kinds of messages.

Read the rest of this post »

8 Ways to Protect yourself from Forged/Fake Email

Monday, January 26th, 2015

The Internet is rife with fake and forged email.  Typically these are email messages that appear to be from a friend, relative, business acquaintance, or vendor that ask you to do something.  If you trust that the message is really from this person, you are much more likely to take whatever action is requested — often to your detriment.

These are forms of social engineering — the “bad guys” trying to establish a trusted context so that you will give them information or perform actions that you otherwise would not or should not do.

Here we address some of the actions you can take to protect yourself from these attacks as best as possible.  We’ll present these in the order of increasing complexity / technical difficulty.

Read the rest of this post »

7 Common Misconceptions about DKIM in the Fight Against SPAM

Monday, August 18th, 2014

The popularity and prevalence of DKIM in the fight against SPAM is growing such that as of August, 2014, 47% of the most popular domains in the USA are DKIM-enabled (reference); globally, that number is 38%.  The trend is steadily upward and we expect DKIM use to be pervasive within a few more years.

DKIM, Domain Keys Identified Mail, is still a magic techno-jargon black box to most people. It’s “something” you gotta “add to DNS” to help stop SPAM or make your email “appear more legitimate”.  Beyond that (and even what DNS actually is) … many people are stumbling to know what is going on.

Here are 7 misconceptions about DKIM that we have seen, and the explanations that can steer you back on  track:

1. DKIM stops SPAM

Many folks believe that enabling DKIM for their domain and DKIM filtering for their inbound email will stop SPAM from reaching them.  Certainly using DKIM filtering on your inbound email will cut down on SPAM and using DKIM for messages sent by you can help others verify your email is legitimate; however, it does not actually stop spam.  In fact, it can make some SPAM look more legitimate.

Read the rest of this post »