Blog

Emails, Fraud and HARD COLD REALITY

One of the things people need to understand is unless you’re using a private service like hushmail and sending encrypted emails your email is NOT private. The sad part is it can be picked up between You and your recipient and read.

Fraud and phishing exist because they are profitable.  Too many people don’t check out messages that might be suspicious and they click on links they shouldn’t.   Email is like candy, taking candy from a stranger that might want to harm you is a BAD idea.   If you’re getting an email that looks like it’s from one of your friends and you’re not expecting a link from them look at #2 and if it is actually from them you should let them know their account might be compromised.

As I used to tell my college students, ‘Email is like a post card. Don’t put anything in it you would be embarrassed to see on a billboard’. Unfortunately, as people have become more familiar and dependent on email they are ignoring some basic properties of email, such as:


1. Email is not generally anywhere near as private as you think. (more on that later).  Google ‘mailsnarf’

2. Emails might not be from who you think they’re from.  Emails have header information that is usually hidden.  Enable headers if your suspicious or on GMAIL click on the three dot menu on top right of the email and click show original.   It will then show the header information.  Look for ‘smtp.mailfrom’ and if it doesn’t match the user’s email address domain (the part after the @) then you’re probably looking at a spoofed email.  Pay attention to the english usage in the email.   If someone you know sends you an email and their use of our language seems off contact them via phone or text and ask if it’s them.

3. With weak passwords/no 2 part authentication/user error you or your recipient might not be the only ones reading that mailbox.  I’ve seen multiple cases where someone’s email got hacked and they didn’t nothing but read emails and craft really good looking spear-phishing emails using the information they gained watching the person’s email.

4. Don’t send vital information via email unless you have no choice.  If that is the case text, fax, or call and give them passwords if you can.  If you can’t do this send it in parts in different emails.  At least that way they have to work for it.

5. If you’re setting up your email in a client such as outlook, ALWAYS use an SSL connection.   If you don’t understand this as the geek in your life, they’ll help you.

6. If you’re using a web-based email program check for the padlock to the left of the URL, use a strong password, and turn on 2 factor authentication if at all possible.  (I wouldn’t use an email service that didn’t offer 2 factor authentication)

Passwords, Passwords, Passwords

Are dead!!  Use a Passphrase.   Instead of ‘Charlie2017’ – your dog’s birth year, use a phrase and substitute some of the characters for special characters on the keyboard try “Ch@rliewa$b0rn2017”  easy to remember and very hard to crack. The estimate for that password being attacked by a medium sized bot net was 1 quadrillion years.   (A little overly optimistic imho)

Another site, http://password-checker.online-domain-tools.com/  gives some really good estimates on security of your password. 

All of this is meaningless if your computer has a virus or malware.  Many viruses and malware programs watch the keyboard for passwords or look at saved passwords in browsers. Don’t save your password if it’s not your computer!  Download some good antivirus programs and regularly scan your machine for malware. 

Let’s all go Phishing

What is phishing and why should I care/worry about it? Phishing is when someone uses misrepresentation to make you believe something that isn’t true. For example: Not really your bank’s website, you’re not emailing who you think you are, you’re not talking to who you think you’re talking to on the phone. Let’s have a conversation about the basics.

There are a few basic categories of phishing:

Generic Phishing – Emails that appear to come from a bank or other company you might have an account with.   They claim to have a problem or there is a ‘free’ something if you just click on the link.   You get directed to a site that may look like the one you’re trying to go to but is actually somewhere entirely different. If you look in the address bar above in your browser you will the the URL doesn’t look right.

Vishing – You get a call from a number that ‘appears’ to be the actual people calling but it is in fact someone spoofing the number and trying to get information or steal your identity.  For example your phone rings and the caller id shows your bank name but they call and offer some kind of deal that’s almost impossible to resist or they claim a non-existent problem to gather information from you.

Smishing – you get an sms message on your phone with a link to click on or a number to call.  Total misrepresentation and usually trying to install malware on your phone or find a way to steal your identity.

Search engine phishing – Usually a fake webpage that takes advantage of a ‘typo’ and grabs your browser to install malware or exploits.   For example: you type regoinsbank.com instead of regionsbank.com and that misspelled domain name is actually linked to a site that is designed to infect your computer or trick you into entering your credentials.

Spear-Phishing –  This popular attack involves gaining access to an email account or spoofing an address to trick the user into revealing information or doing something the attacker wants (for example: an email looks like it comes from your boss and it directs you to buy some gift cards for an upcoming contest and send them to an address that supposedly belongs to the ‘event’ coordinator).  This is rising in popularity and sometimes they have managed to get access to either your email or the sender’s and studied the existing emails on the server enough to craft a message that seems believable.   Hard to defend against, however having a second layer of permission when money is to be used/transferred will usually protect you against this.  For example.  If you regularly transfer money have the other person call you by voice and ok the transaction.  Or send you a text also stating the email is correct.

Whaling – this is when someone is going after the CFO,CEO,CIO, etc…    They’ve got access to one of the senior staff in the company and they’re either using that email to order transfers that don’t exist or they’re trying to gain information that is worth money to someone.   These are very targeted and usually only carried out by people that really have some experience with what they’re doing and possibly some knowledge of the industry they’re trying to fake out.

Social media phishing – This is relatively new and appears to be primarily focused on females that are on Instagram, facebook, or games that support a ‘chat’ feature and other social media venues. It starts off with an innocuous ‘hello’ message to establish rapport. Once they manage to establish some kind of rapport they continue to build on the relationship providing the ‘attention’ their target desires. This relationship blossoms and they have conversations with their victims. Sometimes they just ask questions that appear innocuous and involve little things like family, pets, daily life, birthdays, favorite items. These are used to steal your identity and possibly provide answers to security questions and make it easier to steal access to a bank or email account and totally steal your identity. Sometimes sex is mentioned. If possible they ease their quarry into talking about their sex life or things they would like to do that they aren’t doing. Eventually there is a ‘picture’ exchange. The quarry gets picture of the guy their talking to (in most cases they claim to be in the military) and the pictures are totally fake or stolen. This is why these accounts are usually private or it is very hard to verify their identity. The victim sends some pictures and then these pictures are used to extort either cash, more pictures or information from the victim. There are cases where victims after sending compromising pictures were forced to send even more money to their ‘boyfriend’ to keep him from sending them to her family he had located on facebook. In one instance a victim had sent a scammer tens of thousands of dollars because he told her he was a soldier and trying to get a box of ‘gold’ he discovered in the middle east into the US. She was an educated professional that definitely knew better but she got emotionally involved and it clouded her thinking. It’s easy to claim that it won’t happen to you but they probe and use their conversations and every question answered by the victim to build profiles and figure out their victims weaknesses. Avoid this by not accepting friend requests from people you don’t know and don’t chat with people you don’t know in real life. You never know who is on the other screen.

In short, Phishing is basically fraud on a wide scale and they count on a small percentage of people to fall for their scam or to provide enough of an opening for them to compromise the victims computers or identities.  You have to remember the end goal is money.  There are multiple sites on the darkweb that will sell you an American bank account with $10,000 or more dollars in it for $800… They provide the passwords you get the access to take the money.

Private VPNs – What are they?

Several companies out there are advertising VPN apps and services to provide ‘total’ protection for your surfing. We’re going to look at what a VPN is and what kind of protection you really get from it.

A VPN or Virtual Private Network is a network where the traffic is encrypted so that when it passes through another network on the way to it’s destination the actual packets are scrambled and in theory can’t be deciphered. The truth is that with enough horsepower and the right software the packets can be decrypted it’s just very tough and takes a lot of effort to capture all the packets and decipher the traffic.

VPNs are used by companies to form links from one office to another over the internet. The traffic is then decrypted on the other end. This encryption allows sensitive data to go from one place to another without being ‘seen’ by UN-authorized people. It saves companies thousands of dollars by enabling the to use the internet to move traffic from one office to another without having to get dedicated hard-wired connections to each office.

VPNs come in two basic flavors –

VPNs that are routed based on ip addresses and go from one pre-programmed point to another . This is usually done on a router and something you’d find in large Corporations.

Software VPNs that use software on each end and some kind of address mediation to make a connection and then encrypt the traffic.

Just about every VPN app out there is using software VPNs. This makes it easier for them to add more servers and addresses as their subscriber list grows.

What kind of Protection are you getting?

Most VPN apps encrypt your traffic from your device to a server they have connected to the internet that acts as a ‘proxy’ for your traffic. So if you have selected either manually or automatically a server in Atlanta, your traffic to your bank, email server, or web site will look like you are in Atlanta. You can easily check this by going to IP-Chicken

This encryption means that if someone is on the same network with you or a machine has been hacked on your network and is gathering information your traffic will be unreadable for them, to all intents and purposes. This is how most people end up getting hacked. They’re on public wifi somewhere or using hotel wifi and someone is on the network watching all the traffic. Someone could even just attach a computer at the right spot on the network and run an app that watches traffic and grabs passwords.

It is IMPORTANT to remember that this does NOT mean that your traffic is totally protected all the way to your destination. You are protected by the VPN until you come out on the VPN server. In the example above your traffic from Atlanta to wherever you are going would be normal traffic. Maybe encrypted if the site you are on has https but not the heavy encryption that a VPN provides.

This is an important consideration when you decide what sites to look at while you are away from your home network. Remember – with enough computers and equipment basically none of your traffic is 100% secure. It just that there is so much traffic out there that most of us get something called Security-Through-Obscurity, basically meaning it’s too much effort for a normal hacker to single someone out in a high traffic environment. You’re going to end up on the internet at some point and if you’re coming out of a high traffic environment you’ll be a bit more ‘obscure’

VPNs can be a great thing when you’re traveling or if you use a laptop and move from office to office and don’t have any control over the network you’re on or are unsure about who is managing the network.

VPNs aren’t probably providing much benefit if your local network is secure.

Traveling with a Cell Phone

I was recently asked to recommend some software for a client’s friend to use while traveling out of the country so they wouldn’t get ‘hacked’ As I struggled to think of any one package that could make them safe I realized this was actually a larger question.

When traveling abroad you will more than likely stand out from the locals. Also if they are scanning all the phones in the area they will not recognize your phone and there is always the possibility that the local service provider in the area has some employees that ‘moonlight’. Several issues come to mind and I’ll try to address the basic ones.

There are several things that can happen:
1. your phone can get it’s information stolen and be ‘cloned’
2. you could lose passwords and user ids to some of your sites
3. emails could be intercepted and web traffic monitored

First lets address the difference between iphones and android devices. According to CoCospy – Iphones are easily cloned by acquiring their icloud credentials. Android phones on the other hand cannot be cloned unless you have physical access to them. It would make some sense not to travel with an iphone if you can avoid it.


The real danger lies in using wifi at hotels and restaurants. This lowers the bar for hackers and without getting too technical here it gives them an opportunity to steal ids and passwords as your phone visits sites. (ie.. and icloud checkin or picture upload, or a bank or credit card login) Once someone can monitor your wifi traffic you have problems.

To combat this many people are buying ‘private VPN’ subscriptions. Companies like Avast sell vpn services through apps on your phone and they can range from free to several dollars a month. Generally you get what you pay for. To understand what’s going on with a vpn app think about your traffic (emails, credit card apps, video chats, ect… ) being totally scrambled between your phone and a server somewhere on the internet like Atlanta or Chicago, after it gets there it goes out on the internet as normal traffic. This lets you ‘hop’ over anyone that is in your general network area and keep them from being able to grab traffic and decipher it. It is important to remember this security is NOT absolute. Someone could still catch traffic as you come out of the server in Atlanta or Chicago but there will be so much traffic and because some other security measures kick in there would be a very small chance someone could intercept anything useful.

The other option would be to get a prepaid phone that’s cheap. Forward your calls and don’t take your nice phone with you.

If you decide to take your phone you should definitely avoid wifi if you’ve got coverage and your carrier isn’t going to break your wallet on roaming charges. Ask them about roaming before you go. If it’s more than you want to spend you’ll want to turn your data off on your phone. This is a simple button on the top of an android or one of the first preferences in an Apple device.

If you decide to use wifi, keep it off until you’re ready to use it. When you go to use it turn on your VPN as soon as attach to the wireless. Leave the vpn on and don’t turn it off. Also look on your phone and make sure it’s not set to attach to unsecured wifi automatically.

Charging your phone – It’s very important that you use your own cable and power supply to charge your phone. There are multiple devices both cable and power supplies that are designed to hack your phone using circuitry embedded in either the cable or the power supply. Charge with your own cable/battery!

With a little bit of care and sense you should do just fine. Remember your phone can be worth a lot of money to thieves. Don’t leave it lying anywhere even for a minute.