Recently, Mom called me regarding a suspicious-looking email from Citibank. The email said her password had expired and needed to be reset. All she had to do was click the link to change her password.
Mom: “I received this email but don’t have an account at Citibank.”
Dutiful Son: “Delete the email. It’s spam.”
Mom: “Why do the hackers think I have a Citibank account?”
Dutiful Son: “They don’t know, but based on their history, a large percentage of receivers of this email will not pay attention and click the link anyway.”
Mom: “It’s cold; are you wearing a sweater?”
A survey from a security awareness training firm found four in ten recipients of an “urgent” message to check a password immediately responded by clicking the link in the email, even if the receiver does not have an online account with that company or financial institution. Security-related and giveaways for free gifts yield the most clicks by unsuspecting users.It is more important than ever for those of us who depend on email as a primary form of communication to look for red flags before clicking on links. Some things to think about include the following:
- Check the spelling of the email address, especially after the “@” sign. What looks like “Walmart” at first glance may actually be spelled “Wallmart,” which could lead the recipient to a phony website. Just because the email includes a real corporate logo doesn’t mean it’s legitimate.
- Check the spelling and grammar in the body of the email. English is a difficult language, and cyber bad guys who have no prior exposure to our language will routinely misspell difficult words or use poor grammar.
- Review the subject line. We’ve seen many variations of this including “Correct address needed for your package delivery,” “Your digital receipt is ready,” “Your account has been locked,” “Please complete the required steps,” “Billing Problem,” and “Approaching storage limit.”
- Government agencies will never utilize email. Scare tactics appearing to be from the IRS or U.S. Department of Justice should be deleted immediately.
If the email appears to be legitimate, there are some steps to protect the user just in case. Look up the website or phone number for the company or person and use that number and not the number in the email or text to tell them about the message received. If a user receives a spam email from a company they are doing business with, log onto the website and change the password without clicking the email link. Ensure the computer, laptop, and cell phone are using an up-to-date browser which can be automatically set up.
Victims of a scam should change all online passwords and make sure different ones are used so that the cybercriminals cannot access multiple accounts. Many people use an online password manager to administer the online sites, but I utilize the old-fashioned paper in a locked cabinet which works just as well.
Email has become an efficient way to communicate small amounts of information from the critical to the trivial. Unfortunately, bad people are using it to steal money from good people. Keep your money and enjoy it. Yes, Mom, I’m wearing a sweater.