Last week, I received an email from a friend on the other side of the country. It contained no body text — just a rather odd-looking attachment with an HTML extension. But the Subject read, “Important Document for Review.” Even though I knew it would come across a bit snobby, I dropped him a note saying, “You know, I’d just as soon not have to open an unsolicited attachment if I didn’t have to.” Then I asked him what it was about. His reply was curt: “But it’s not unsolicited. I sent it to you.” I found his response to be a bit odd, but at the same time, he seemed to be a bit frustrated with me. Because he was my friend, I felt a bit embarrassed writing him again, but, because I receive a lot of email, I wrote once again, saying, “Still, would you mind telling me what’s in the attachment?” This time, he didn’t write back. I thought, “Great. Now you’ve really offended the guy, Doug.” So at this point, I glanced down at my system tray to make sure my antivirus was running (and it was), then opened the attachment. I felt foolish being so overly-skeptical. I have my email client configured not to open any kind of file at all. So when I clicked on the HTML, it only read the mark-up language, but balked on opening up any of the program code beneath the hood. All I could see was that it was some kind of Google doc; I still couldn’t tell what it was supposed to be. So I wrote my friend one last time, completely convinced that I was going to annoy him to no end as I said, “I opened your attachment, and saw it was some kind of Google Doc, but my email client is configured to be kind of dumb. Can you tell me what I’m looking at here?” No response. I figured I’d lost him as a friend for good. The next day, I received a note from him saying his email had been hacked. “Unfortunately, my email account was hacked. Do not open this email or follow any instructions contained in in it. Please delete it immediately. I am sorry for any inconvenience this may have caused.” It was at that point I realized — I had almost turned off my safeties to open the program code. Almost. So … how does one know for certain that the email they receive is actually from one’s friend and not from an evil-doer? My conclusion: It’s impossible. All I know is this: Be skeptical, run a great antivirus program, and pray for the best. But be skeptical of everything. And at the end of the day, if you can’t call the guy, just don’t open the attachment. Period. It’s the only way I know.
Actually, your email doesn’t need to be “hacked”, it’s enough for the spammers to harvest huge numbers of email addresses, then spoof the sender’s entry in the email they send out, making you believe it’s coming from a trusted source.
I use to work in the fraud dept for a major financial company, both in credit fraud and identify fraud. If I get something from my mom that looks fishy, I won’t open it. I’ll always check. I have never come across someone I know personally who was offended when I asked them about the attachments in an email with their name on it. If they are offended, something is clearly wrong and I’ll delete it, whether it’s legit or not. I won’t risk all the important documents on my computer for someones ego.
If I get an email with an unexplained attachment I *always* write for an explanation. And if the answer comes back somewhat impersonally I have been known to request an answer to a question only that person would know – explaining that I just want to be sure they are who they say they are. I’ve never had anyone be offended at either level of these queries.
If I have admin access to a mail server, it’s trivially easy to forge mail, both headers and body. And it’s very easy to copy artwork and general layout. Depending on how hard the attacker is willing to work, there’s forged message traffic that appears to be authentic.
Both attachments and embedded links are suspicious.
A tip: transaction-specific mail is *always* sent by an automated process. Thus, a couple of give-aways of something that’s forged:
– Return address (or a reply-to:, used in a reply) are normally invalid addresses (i.e., no-reply@ups.com). A fraudulent message will show something else, such as a domain that is is similar to what would be likely legitimate (e.g., ups-mail.com), or a domain that is obviously unrelated (e.g., yahoo.co.in)
– An auto-mailed response will *never* include attachment.
As a general rule, legitimate business senders (especially financial institutions) do not send unsolicited mail. If you get something that is suspicious (and something that has vague wording is *always* suspicious), never trust the links provided in a message. If you want to check further, use a URL that you enter by hand.
One thing that the fraudsters like to do is send a lot of stuff that claims to be for operations such as UPS (where email confirmations are common). Thus, if you’re expecting a transaction confirmation, and you get a phony message at the same time, you can be enticed to click on links. For something like that, a legitimate message should have a unique tracking number, and you need to make sure the tracking number matches what you already have in your records.
For the question of hacked accounts and counterfeit messages, a common thing is that the originators like include about a dozen other addresses (likely harvested from the victim’s address book), and use those addresses with CC: addressing, as a way of making the message appear to be legitimate (especially if the addressee recognizes other addresses in the distribution list).
It’s also noteworthy that accounts with the major free providers are a popular target for account hacking — Yahoo is the most popular, but there’s also a lot of attention focused at Gmail, Hotmail, and AOL, as well.
However, if the content looks cryptic, and there’s not an obvious reason why the message is being sent, assume it’s likely a fraud, unless you confirm independently. For this kind of thing, it’s better not to use email to check, because if the account has been hacked, the intruder may still have access, or it may be that the legitimate user of the account may not use that account frequently. Better to use a phone call to confirm. The same kind of response is also appropriate for the messages where somebody you know claims to be in London, has lost all his money and travel papers, and is asking you to wire some money, until he can get home and repay you. Call the purported sender, and verify that they’re not in London.
One other tip: it’s best not to use a single email address for all your activities. Keep one address that you give to your friends, and one or more addresses for other use. In particular, don’t give your main address out when you’re doing purchasing, or having to disclose in a place that may either be signed up for mailing lists, or leaked to other people. For me personally, I have separate addresses for work (a company address) and personal use, but when I’m doing online purchasing, I normally use a Yahoo account to get notifications. I normally check the Yahoo account, only when I’m expecting mail there, and if I get commercial mail on one of the other sources, then it’s very probable that it’s fraudulent.
Also — don’t be too aggressive about responding to pleas of “add us to your address book”. It’s true that some mail providers or mail clients (but not all, by a long shot) may use that as a way of doing whitelisting, of having indicators that mail from a known trusted source is legitimate. However such whitelisting doesn’t account for the possibility of forged or hacked mail, and in some cases, whitelisting may accomplish more to ensure that forged mail gets through than to prevent legitimate messages from getting dropped into a spam folder.
Wow – great list of suggestions. Well done, GP!
we were just recently “hacked” someone used our email address and said it came from my husbands i-phone. one of our friends who knows us well called us to warn us since a)she has never known my husband to email her and b) she didnt think he would email from an I-phone. She emailed us what had been sent – we didnt open the attachment but were able to see that he had emailed several people on our email list-some we hadnt emailed for years. one suggestion on contacting said friend would be rather than do a reply to that email -would be to email them a reply through the last trusted email they sent -or through facebook or through another trusted friend that you has regular contact. I generally dont open any attachments unless there has been a clear identification as to what exactly its about.