>I continue to be amazed not by the quantity of spam but by the social engineering aspects and how well it seems to work. And how we tend to treat those people.
In my full-time job, part of my responsibilities are providing desktop support (we are a small shop so we all have a lot of roles). In that role, I’ve seen how well some of these spam and nasty emails seem to work. For example:
- We’ve seen a lot of “fake” retail invoices going out. I’ve had people click on the links contained in those emails which take advantage of some IE holes and install some nasty software. I’m personally surprised that the emails work even though there are issues with the email that make me spot it as a fake almost instantly.
- We’ve had a few emails arrive talking about us being in violation of copyright. The email is “sent” from a real law firm. But again, the content of the email make me believe it is a fake almost instantly. This email, in fact, has been a big enough problem that the law firm had to put a message on it’s website letting people know that they did not send the copyright violation email.
These instances got me thinking. How am I able to spot these fakes but many other people can’t? Granted I am a much more sophisticated computer user than most. But why when I see the issues I think it is fake and many other people don’t draw the same conclusion.
For example, many of these emails were sent to an email address that didn’t match the name in the message. For example, Jane Public would receive an email that was addressed to John Smith. To me, this mismatch says to me “fake”. But John Smith sees this and sends it to Jane Public because he is worried her order has a problem and she won’t know about it otherwise.
So, why do these types of emails work? And what can we do to make them not work as well?
We’ve all given the “be suspicious of emails” talk. Everybody has heard not to click on links in emails you don’t recognize. So the spammers get around this by sending emails from places people do recognize. When the email is from a place people do business with, many people will overlook minor issues and believe the email is legitimate.
How can we change the tools to help people identify a legitimate email from Amazon versus the fake? The spam filters don’t catch them, at least not right away. The mail programs display the email as legitimate. The email looks legitimate. But it’s not. And the tools do nothing to help people identify these as fake.
We in IT don’t help the situation when we blame the user for clicking on these links. We act like the people that click on these links don’t listen or don’t understand when we tell them how diligent they need to be. If this problem was caused by another person instead of an email, we’d call the person who fell for the plea too trusting or gullible. So why do we deride these people for believing an email that looks legitimate?