Spam, or junk, emails are often sent out in bulk from compromised computers connected to the internet.
They usually either try to get you to visit a web site by enticing you to buy products, eg pharmaceuticals or beauty products, try to redirect you to sites that are set up to steal your personal data (This is called phishing.) or get you to open an attachment to infect your computer or device with malicious software (malware).
Junk email is the electronic version of direct mail you get through your front door, leaflets inside magazines or flyers handed out on the street. The companies may or may not be genuine, as may the products and services they are offering.
In all these situations you always have the option of deleting the emails or dropping the items in the bin without acting upon them. They can be annoying, but unless you do something with them, they are inherently benign.
However, if you do click on a link or open an attachment, then you are likely to be a victim of phishing or malware.
What is phishing?
Phishing is a scam where internet fraudsters pose as reputable organisations or as someone from your own organisation or contacts list, and trick you into sharing personal or financial information with them.
What should I look out for?
You should be suspicious of any emails containing links asking you to update or verify your personal details and including statements such as -
- “We suspect an unauthorised transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
- “If you don’t respond within 48 hours your account will be closed.”
- “Your account has been or will be, suspended.”
- “Your email account has been locked or is over its’ size limit.”
Phishing emails may appear to come from your bank or financial institution, a company you regularly do business with or a social networking site. They may include official-looking logos or convincing personal details which the scammers have found on your social networking pages. They might also appear to be from someone you know.
They can include links to spoofed websites where you are asked to enter personal information. They might ask you to make a phone call, where a person or an automated system waits to take your account number, personal identification number, password or other valuable personal data.
How do I avoid becoming a phishing victim?
If you get an email or pop-up message that asks for personal or financial information, do not reply to the email or click on any links.
Never email personal or financial information, as email is not secure enough. Only provide this information to an organisation through their website - and look for indicators that it is secure (like a URL beginning with https - the s’stands for secure).
Use antivirus and anti-spyware software, as well as a firewall, and update them all regularly.
Review credit card and bank account statements as soon as you receive them to check for unauthorised charges. If your statement is late, call your credit card company or bank to confirm your billing address and account balances.
Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer’s security.
This is an example of a well crafted and convincing phishing email:
1. This email appeared to be sent by British Airways (BA) themselves, the email address has been forged.
2. Checked online, this email is in the correct format for a BA online ticket reservation.
3. The departure date was only 2 days away, this is designed to panic you into thinking you'll be charged £490 for the ticket and click on the links, which is exactly what the scammers want.
4. & 5. These 2 links look as if they go to britishairways.com, but they will actually take you to a hacked website. It is easy to mask url's in this way, alway hover your cursor over the address to see the true url.
6. This address is correct, and overall the email has good spelling and grammar.
What is malware?
Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware, and other malicious programs.
It can take the form of executable code, scripts, active content, and other software. Malware is often disguised as, or embedded in, non-malicious files. It can perform different kinds of attacks on your computer or used to disrupt or gain control over a computer or network.
It may be stealthy, installing trojans which can steal your personal information or spy on your activity for an extended period without your knowledge or it may be designed to cause harm, as ransomware designed to sabotage or to extort payment from you.
What should I look out for?
Malware delivery often follows a similar pattern to phishing, so watch out for suspicious emails and attachments, especially unexpected ones and those that end in .zip .exe .cab.
How do I avoid becoming a malware victim?
As malware often arrives in email similar to phishing emails, following the advice above on phishing can help protect you from malware too.
Here is an example of an email that contained malware. This particular attachment was the Cryptolocker virus and an image of what it can do to your computer is shown below.
1. Check the email address, is the sender familar to you and were you expecting an email from them? This example email appears to be sent by deditools.com.
2. This subject line does not make sense.
3. This attachment is a .zip file, which should arouse suspicion. Don't open attachments that look suspicious or that you were not expecting.
4. & 5. The text in the email is very generic. If this was a genuine email for you, it would probably use your name and the contents and subject line would make more sense.
In this example, if you should decide to open the attachment then it will open a program which will encrypt all of your files and demand payment from you to provide the decryption keys, so you can access your data again. This is called ransomware and you would be greeted with the following on screen:
What should I do if I've been a victim of phishing or malware?
As with anything it is always better to avoid becoming a victim by being vigilant and aware, but if you believe you’ve been scammed, lost money, or had your computer infected then you can report this to Action Fraud.