Has your Warrnambool business been hacked? Find out, and learn how to protect yourself from scam emails

Posted on 06/12/2018 by Mathew Howlett in General News, News, Scam & Security Alerts

It’s happened to all of us (all of us); 4:30 on a Friday arvo and you get an email from ASIC, Xero, the ATO, Drop Box, or one of the hundreds of other Cloud services we all collectively use every day.

Maybe you think “this looks different to normal”? “Why’s Kelly sending me a file out of the blue?” “I don’t normally get my Xero invoice this way?”… or maybe your mind is already on Friday night drinks and your finger is clicking on autopilot…

Regardless, you click that link, download that attachment or type in your email address and password when you really shouldn’t have… and they’ve got you! If you’re lucky they’re just phishing for accounts to scam others with and you’ll just be the bait responsible for fooling your friends, family and colleagues… if you’re unlucky you’ll get hit with a Cryptolocker Virus and your entire digital life will be held to ransom.

First of all, don’t blame yourself. There are a lot of people who make a living trying to figure out how to fool you into making that one wrong click. Many of their attempts are laughable, but a growing number are very good.

Take it as a learning experience. We all use the Internet in so many ways every day, but in many ways it is still the modern Wild West. There are sheriffs out there fighting the good fight, but the only sure fire way to be protected is to learn to protect yourself.

There are two big ways you can do this:

  1. Click the safe link below to find out if your email address has already been compromised in a data breach (hint: you want to go to “haveibeenpwned.com”)
  2. Learn how to tell which of the links below is safe and which is not

Click me! I’m safe, why would I do you wrong?

No, click me! I’m safe, would I lie to you?

Wondering how to tell them apart?..
Well it will take a little bit of explaining, but read on if you want to find out.

Let’s say you get the following email claiming to be from Xero:

Comparing it to some of the common warning signs for scam emails:

  • Spelling and grammatical errors – spelling and grammar are perfect
  • Incorrect or incomplete branding – it looks how I would expect a Xero email to look like, it even reads how I would expect a Xero email to read
  • Overtly alarmist or aggressive language – no, it’s being perfectly polite
  • Generic content with no individually specific details – it is generic, but hey, 3 out of 4 isn’t bad right?

Wrong I’m afraid. This is a scam email, and a very good one. So, relying on the above points alone; it may slip by you. The problem is the above points are only looking at the parts of an email that can be faked. As such, they are relying on the scam artist do a bad enough job to make you suspicious. They are great for getting an initial ‘gut feel’ for an email, but they cannot be solely relied on.

The only sure fire way to spot a scam email is to look at the parts which cannot be faked:

  • The email address the email is sent from
  • The addresses it’s links try to send you to

Now the “why” to these points is some top tier technical mumbo jumbo which I won’t go into. So let’s just say that thanks to the way the Internet works “xero.com” is an address which Xero owns and only Xero can use in both website and email addresses.

There may be some stuff before it:
https://login.xero.com
partnerteam@sendau.xero.com

And, with websites, there can often be a whole lot of stuff after it:
https://login.xero.com/?wa=wsignin1.0&wtrealm=https%3a%2f%2fgo.xero.com&wQtx=rm%3d0%26id%3dpassive%26ru%3d%252fOrgsdnisqtioknLopia%252fDefault.aspx%253fshPrtCode%253d!v30hS%2536redidecpQrl%253d&wct=2019-16-776T06%3a27%3a37Z

But “xero.com” will always appear, unchanged, in there if it is an email from a legitimate Xero address or a link to a legitimate Xero website.

So, with that in mind, let’s look at that example again with the addressing information included:

The email address’s display name, “The Xero Team”, looks legitimate, but this can be changed to anything by anyone in almost any email program (seriously, it’s really easy. You could change your emails so they send as “Daffy Duck” right now! Here are instructions detailing how in Gmail, Outlook and Apple Mail)… As such, you cannot assume this display name is correct, instead we need to look at the email address itself.

This particular scam email was sent from… *drumroll*… support@em3994.sponsorsleeper.org… What!.. What?.. They didn’t even try to make that sound right! There’s no mention of Xero in there at all!

Now why is that? They put so much effort into making the rest of the email look convincing, then they send it from an obviously incorrect email address like support@em3994.sponsorsleeper.org??… It’s because they can’t! BOOM! We’ve found their Achilles heel!

They thought they were so smart, but we have check and mated them by digging just that little bit deeper! Report it as spam, delete it and give yourself a big pat on the back for a scam well spotted!

“But wait” I hear you say, “I don’t see that ‘support@em3994.sponsorsleeper.org’ address on my device; I only see the ‘The Xero Team’ display name”. Great point! Many email apps display address next to the display name as pictured above. But a growing number, particularly those on Smartphones and Tablets, hide the ugly email address altogether.

You will always be able to find it, but you’ll need to read up on how for your device and app:

Similarly, many email apps and web browsers will display the address a link is sending you if you hover your mouse cursor over it or press your finger down on the link for a couple of seconds. But, again, in a growing number of cases you will have to follow a method particular to your email app and device:

I’ve listed the most common combinations above, but there are too many combinations for me to list them all. Luckily there is no shortage of helpful Geeks out there who love to explain things! If you’re device and app combination isn’t listed above a quick Google Search should find some instructions quick smart. A search along these lines should suffice:

  • “see senders email address in [app] for [device]”
  • “see link destination address in [app] for [device]”

You’ve found instructions for your app and device? Great!
Test out your new scam detecting superpowers by identifying which of the two test links above lead to “https://haveibeenpwned.com/”.

Once you’re there you can check if you’re email address has been compromised in a data breach and get more useful tips for protecting yourself online.

Don’t worry if you make the wrong choice, but don’t give up on learning how to make the right one. If there’s anything worth taking the time to learn it’s how to protect yourself online.