Email Scams, Vulnerable Schools, and Good Advice
August 2, 2017
First, I must solicit your strictest confidence in this transaction. THIS IS BY VIRTUE OF ITS NATURE AS BEING UTTERLY CONFIDENTIAL AND ‘TOP SECRET.'
IN SUMMARY: I have 15,000,000.00 (fifteen million) U.S. Dollars and I want you to assist me in distributing the money to charity organizations. I agree to reward you with part of the money for your assistance. This mail might come to you as a surprise and the temptation to ignore it as unserious could come into your mind but please consider it a divine wish and accept it with a deep sense of humility.
We all know how this email ends: "Please send me your contact information and we will send you a cashier's check for millions." They will send you the money from the Nigerian Prince and you will be a millionaire. Easy peasy.
Scam 419 or the "Nigerian Prince Scam"
While commonly known as the "Nigerian Prince Scam," the origins of this scam go back to the 1920s. If you actually respond to one of these emails, the scam plays out like this:
- You respond, willing to help.
- They respond with more back story, thankful that you are willing to help them out of this dangerous or embarrassing situation.
- There is a snag (usually after some delay of 1 or 2 weeks). They need some small amount of money from you to keep the ball rolling.
Repeat steps 2 and 3 till you are out of money or no longer willing to pay.
- You threaten them to give you the money you are owed. You never hear from them again.
Email Gives New Life to an Old Scam
This type of scam is much older than email. Before, very similar scams were spread through parcel and later through fax. Email is an ideal way to perpetrate this scam as email doesn't have any built in ways to verify the origin of the message. That means that there is no way for the recipient to know who sent the message, and thus there is no way to go after the perpetrators of the scam.
The email used in this example is easy to dismiss as blatantly fraudulent due to the non-specific language that is used, yet this isn't always the case. Nowadays, scam emails include the name of the recipient in the message, making it harder to detect. Email scams are on the rise according to the FBI and are not always easy to recognize.
A targeted email scam is called "spear phishing," and it involves tailoring the content of the email to the specific target of the email. Spear phishing is a sub-set of a larger attack category known as "social engineering," when normal social behavior is used in a manipulative way to get a desired goal, such as money or data. Schools in particular make easy targets due to their open nature. Southern Oregon University recently lost $1.6 Million in a targeted email scam when, during a construction project, they received an email from someone claiming to be their contractor. The email contained information for payment and a bank account number to transfer funds. It took nearly three business days to discover the fraud, and it is still unknown if SOU will recover anything from the scam.
What Makes a School So Vulnerable?
While schools' IT systems have gotten more complex, other systems remain fairly predictable. Even if there is no public directory, it's likely each email address will follow a standard naming convention and can be guessed easily. This, coupled with the need for public records, can give a scammer lots of useful information.
When it comes to larger targets for scams, schools are relatively easy. When compared to other high-value targets (such as private corporations), a school has an abundance of public info. Routinely, schools publish complete staff lists online, along with community announcements about new building projects or contracts. With so much information out in the open, it's easy for a spear phishing email to sound legitimate. Sometimes even any response is what the scammer is after; if there is a response, the scammer knows that the email is valid.
Here are some other notable examples of social engineering:
Knowledge graphs: These attacks use the meta-information/meta-data around a target to gain more information. For example, a photographer might use a public site like flickr or instagram, yet every picture taken with a digital camera contains data about where and when the picture was taken. If the picture was taken with a smart phone, often the make and model of the phone will be in the pictures' meta-data as well. Many cell models are provider-specific or even branded with the company that provides service to the phone. Now, all an attacker has to do is call the mobile phone service and pretend to be the person who took the photo, or call the person that took the photo and pretend to be their mobile service provider.
Off-line attacks: These attacks happen either over-the-phone or in-person and are more common than you may think. Oftentimes these are calls from customer support centers. At the very least, a scammer will usually be able to get the last four digits of a credit card or information about a person's home address from these calls.
Copy-paste attacks: This social engineering attack occurs when a user copies more than they intended, inadvertently "pasting" more text than is visible. For example, a user may wish to bulk-edit a group of photos, and after research, finds a script that will automate this activity. When they follow the instructions and copy-paste the script into their computer, they find that they inadvertently installed a virus. This doesn't mean that you should never copy and paste, but it does mean you need to check what you are pasting. This can easily be verified in a simple text editor (Notes for Mac and Notepad for PC).
For example, copy this text and you will see after you paste it into a simple text editor that there is lots of more text here than you expected to see in your editor.
How to Protect Yourself
There are some simple things that can be done to protect yourself from social engineering.
Read email carefully. The more you learn about email, the better you will be at recognizing fraudulent missives. Email is made of two distinct parts: the header, which holds information about the email (the subject, who it is from, and who it is to), and the email message, which is the content of the actual email. Most email clients will allow you to see a limited amount of information from the email's header. Read the sent date, sender name, and email address. Were you expecting correspondence from the sender? Is there anything wrong with the date, or is the sender's name misspelled? Digital signatures and email encryption can offer additional protection. Digital signatures add an attachment to the email that cannot be forged. If that attachment is included with the email, it can be tested against the user's public key and the user's identity can be confirmed. Email encryption ensures that without the decryption key, the message cannot be read.
Never click an unknown link. The consequence of lowering the barrier to entry with the internet is that anyone can write anything. This means that everything needs to be thought of as an attack. The general rule should always be if you are not expecting the link, don't trust it. Less obviously, links can hide information. Always look at a link's destination before you click on it. The can be done by right-clicking and choosing "copy link location," or by watching the status bar on the bottom of the browser window for the link address to pop-up. This is a behavior that might seem clunky at first, but after a couple of weeks of being link-aware, you will find it becomes second nature.
Use plain text editors to sanitize copy and paste. You should never copy and paste terminal commands directly. Keep a plain text editor around for copying into and inspecting the clipboard. Some of my favorite free plain text editors are Notepad++ on Windows, or BBEdit on Mac. If you use both Windows and Mac, Atom is a cross-platform plain text editor, meaning you can run it on any desktop or laptop: Windows, Mac, or Linux.
Educate yourself and take an active role in your protection. It is time for everyone online to take active roles in their own security. Just like there are street smarts for being safe in society, there are also a certain amount of "online smarts" required for living safely online. A good place to start is Connect Safely. They have a wide range of guides to educate you including detecting fake news and how to protect student data.
- Pando: A reporter asked us to hack him and this is how we did it.
- Ars Technica: How I lost my $50K twitter username (with an interesting twist: the hacker reveals to his victim how he did it!)