Worms and viruses are increasingly being written to steal confidential data from innocent people’s computers, to hijack resources, or launch spam or denial-of-service attacks.
Graham Cluley
The first computer virus (Elk Cloner) written nearly thirty years ago was relatively harmless and almost funny. Its intention was to display a poem every time your computer booted up. Today’s cyber-crime is big business and often malicious. It comes in many forms, from viruses and phishing to spam. Emails and web downloads are the most common source of viruses. In this chapter we cover:
- the distinction between the three main sources of cyber-crime
- top tips to avoid being the target of a virus or phishing attack and reduce spam
- sources of further information.
Cyber-crime can be expensive. You will need to disinfect your computer if infected and you and your business may suffer reputational damage. Viruses are easily transmitted and others will become wary of email from you if your email image has been compromised. If you run a business, cyber-crime can result in a denial of service attack, whereby your website is temporarily shut down and everyone is denied access. If you use email for marketing, and do not take the necessary precautions, you can find your business email address is very quickly blacklisted.
Never open an email (or attachment) or follow a link in an email which looks suspicious (not authentic). Delete the email immediately.
Spam
Processing the estimated annual volume of 62 trillion spam emails is equivalent to driving around the world 1.6 million times.
‘The Carbon Footprint of Email Spam Report’, McAfee
In 2009 spam emails were estimated to account for 85 per cent of worldwide email traffic. The term ‘spam’ refers to unsolicited junk email and is often about how to enlarge your physical and financial status. The term is generally thought to have been derived from the 1970s Monty Python sketch on spam (you can see the original on YouTube). The alternative explanation is that it comes from the abundance of pink canned meat made in Britain after World War II. Known as Spam, it was one of the few items not rationed but not wanted.
There is a fine dividing line between having ferocious spam filters (which can also trap legitimate emails) and lax spam filters (which mean your email inbox is full of junk). Spam is costly in terms of the resources used to stop it and time taken to trawl through spam filters to make sure nothing important has been accidentally trapped. It can take me up to 30 minutes a day to trawl through the spam emails.
Viruses
A virus is a piece of computer code which can harm your computer by infecting it and causing it to behave in unexpected ways. Viruses often mutate either through attachments or by opening your contact database and sending infected emails to everyone in there. A classic was the ‘ILoveYou’ virus in 2000. Contained in an email, it spread like wildfire and at least 10 per cent of businesses were hit. Since then, anti-virus software and surveillance has greatly improved.
Identity theft
This is a relatively new phenomenon. It is an attempt to steal your personal data (usually financial, such as bank details). There are two main sources of identity theft, phishing and key logging.
Phishing
The attack arrives as an email from what looks like a reputable source (for example, your bank, PayPal, HM Customs and Excise). You are asked to click on a website link to verify information which is then used to defraud you. Again this can be costly as institutions such as banks have now tightened up the terms under which they will reimburse you for such crimes.
Key logging
Attachments containing malware will install a piece of software on your PC which then records your every keystroke. (Malware is the term for any unpleasant software which may harm your PC and subsequently your personal identity.)
Cyber-crime as a major business threat
Although there are now many companies that specialise in detecting all forms of cyber-crime and providing anti-virus and spam software, the perpetrators of cyber-crime are becoming cleverer and more malicious by the day. Not surprisingly, the 2009 Davos World Economic Forum identified tackling cyber-crime as one of the top five challenges facing business.
Download and read ‘Threatsaurus – the A–Z of Computer and Data Security Threats’ from Sophos (www.sophos.com).
Out-of-office messages
Out-of-office messages can inadvertently open the backdoor to cyber-criminals and breaches of confidentiality. Such messages are now provided with most popular free email account providers (including Googlemail, Hotmail and Yahoo). The cyber-criminal does not distinguish between large corporate and individual email users. The risks related to using out-of-office messages apply equally to all users.
Limit the risk of a breach of confidentiality and burglary
Consider the out-of-office message below.
I am away on leave from 10 to 24 July. If your message is urgent, please contact one of the following. Jane Brown in connection with A. Fred Lane in connection with B. Will Bean in connection with C. Otherwise I will deal with your email on my return.
This is both unsafe and carries a high risk of breaching confidentiality. It would take a serious cyber-criminal only a few minutes to locate where you live and hence a possible empty house. Analysing the out-of-office responses to a recent e-briefing I sent revealed that 28 per cent of responses were insecure.
Giving three people as contacts and the projects/clients for whom they are responsible is also risky. You have now disclosed to possible predators (competitors, journalists, etc.) information you probably wanted to keep private. An example of a safe and secure out-of-office message is shown below:
I am out of the office from 10 to 24 July with limited access to email. If your email is urgent, please contact Jane Brown. Otherwise I will deal with the matter as soon as I can.
When composing your out-of-office message, say only that you are away from the office. Give the name of one point of contact only and always check that they too are not on leave.
Some people give only a name (and maybe an email address) to deter unwanted people from phoning. They either make the assumption that key clients know who else to phone or they delegate access to their mailbox to another person.
Don’t let the spammer in through the backdoor
Out-of-office messages can give away your email address to spammers. Spammers often generate random email addresses and, when they receive your message, they then know they have struck lucky.
On or off, which is the lesser of the two evils?
One charity that relies heavily on casual labour to man telephone helplines has suffered from pickpocketing through the use of out-of-office messages. A thief sent emails and, when he received people’s out-of-office messages, he posed as these absent people to gain access to the building and steal.
For all these cyber-crime related reasons, many companies now ban the use of out-of-office messages for external emails.
Before deciding on your policy for use of out-of-office messages, weigh up the potential loss of business against the risks of cyber-crime, and then make a decision best suited to you (and your business).
Software tools to prevent cyber-crime
Today most email suppliers and businesses subscribe to one of the major anti-virus and spam services, such as Sophos and MessageLabs, which stop spam and viruses before they even enter your network. However, attacks can also be triggered by web downloads. Cyber-crime protection is therefore usually a multi-layered approach. Emails will be scanned at source before entering your business, on entry and, lastly, as they arrive at your computer.
Even if you are a sole trader, it is vital to have anti-virus/spam software on your computer/laptop in addition to that provided by your email supplier.
It is important to remember that anti-spam and virus software is reactive, not proactive, and can only be introduced once a virus, etc., has been spotted. Just occasionally it takes time for these to be spotted. A classic example is the ‘Nigerian 914’ scams whereby people are asked to give some money in order to release a much larger sum (for example, someone’s estate). The growth of the internet led to a surge of these email scams in early 2000; however, although they still go on in various guises, today far fewer people are duped by them and they are more easily blocked by anti-spam software.
Unfortunately, deploying anti-cyber-crime technology is not sufficient. You also need to be personally vigilant about what comes unasked to your mailbox, especially spam.
Personal email management
Based on conversations with Graham Cluley of Sophos, here are some top tips to help you further protect yourself from being the victim of a cyber-attack. For more information and updates about the latest attacks, see www.brilliant-email.com.
To protect yourself from attack, do …
- Update your anti-virus and security software daily. Sophos estimates that security researchers identify over 50,000 new sources of malware every day.
- Preferably pick a software solution that automatically updates itself.
- Make sure your anti-virus software scans all incoming email attachments.
- Keep alert and up to date about cyber-crime. Subscribe to at least one of the free email newsletters from the established reliable specialist companies such as Sophos and MessageLabs.
- Keep your main operating and applications software up to date (for example, Windows, Mac OS and Office).
- Review your sent items for emails sent but which you did not send – this is a sure sign that either you have a virus or your computer has been hacked.
- Use a different email address to your main account for subscribing to newsletters, chatrooms, etc.
- Construct a non-obvious email address of at least eight characters (for example, [email protected]).
- Be cautious about using out-of-office messages while away.
- Use your email software junk mail function to blacklist (block) potential spam emails which still creep through.
- Use ‘Rules’ to send potential spam automatically to the ‘deleted’ folder.
- Report persistent spam attacks to either your IT department or email providers.
- If they cannot stem the flow of spam and viruses, change your email name or email service supplier.
- Use proper email marketing software or a service provider (such as Constant Contact) if you do email marketing. This will protect your business email address from being blacklisted. See www.brilliant-email.com for more information.
To protect yourself from attack, don’t …
- Open unsolicited suspicious emails.
- Open/forward emails relating to a current crisis – for example, the death of a well-known celebrity or a natural crisis, such as an earthquake. Cyber-criminals use these events to perpetrate their wares and often send out fake emails, etc.
- Open/forward email alerts about viruses and spam as they are usually fake and the source of a virus/spam. If in doubt, go and check on one of the news sites mentioned below.
- Follow links in emails asking you to verify any form of information – these are usually phishing emails. Financial institutions such as PayPal do not normally send out such requests via email; they would phone. If you do think the email is genuine, don’t follow the links in the email, type in the website address in the address line of your browser.
- Share your personal information online. As social networking increases, so too does the time cyber-criminals spend sniffing around these networks to detect where they can attack. Sophos estimate that 57 per cent of users of social networks have been spammed and 36 per cent have been sent malware via social networking sites.
- Display your email address on websites such as your business website. This makes it easy for cyber-criminals to ‘harvest’ email addresses, which can then be spammed and used to send malware, etc.
- Use easy-to-guess email addresses. Spammers often use tools to automatically generate email addresses such as fred@, fred1@.
- Click on the ‘Unsubscribe’ link in with potential spam, as this just confirms your email address to the spammer.
- Send bulk emails (i.e. to more than 30 people) straight from your personal email software. You will quickly find yourself perceived as a spammer.
Useful sources of further information
Here are some excellent sources of information, emails and newsfeeds to help you keep up to date on cyber-crime:
- www.sophos.com
- www.messagelabs.co.uk
- www.spamhaus.com
- www.moneysavingexpert.com (excellent for sources of free anti-spam and virus software).
To be alerted to current potential cyber-crime attacks, follow Graham Cluley on Twitter.
Cyber-crime is the bugbear of today’s world of e-business. Attacks can be costly. Prevention is better than cure, which means you must invest resources to protect yourself. It is the last step in improving your productivity as a brilliant email user.
- Ensure your email provider uses good anti-spam and anti-virus software and make sure you put protective software on your own PC.
- Be diligent about which emails and attachments you open and links you follow.
- Keep abreast of emerging cyber-crime threats by subscribing to a good newsfeed/email newsletter.
- Update your anti-virus and anti-spam software on your PC daily (preferably choose software which automates this task).
- Ensure all your other application software is up to date.
- When on leave, use the out-of-office (auto-reply) message cautiously.
- See www.brilliant-email.com for more information and updates on the latest threats.