Thursday, May 22, 2014

Netiquette - Spoofing - How it Happens - Via Netiquette IQ

Many of us have experienced cryptic messages from people we know or recognize which are not authored by them. This is recognized as "spoofing". Many people do not understand what it was or how to avoid it. The article below really puts it in a good perspective.

From Lifehacker 5/2014  – by Alan Henry

Most of us know spam when we see it, but seeing a strange email from a friend—or worse, from ourselves—in our inbox is pretty disconcerting. If you've seen an email that looks like it's from a friend, it doesn't mean they've been hacked. Spammers spoof those addresses all the time, and it's not hard to do. Here's how they do it, and how you can protect yourself.
Spammers have been spoofing email addresses for a long time. Years ago, they used to get contact lists from malware-infected PCs. Today's data thieves choose their targets carefully, and phish them with messages that look like they came from friends, trustworthy sources, or even their own account. 

It turns out that spoofing real email addresses is surprisingly easy, and part of why phishing is such a problem. Systems Engineer, aspiring CISSP, and Lifehacker reader Matthew tipped us off to how it works, but also took us by surprise by emailing a few of us at Lifehacker from other Lifehacker writers' email addresses. Despite the fact that we knew it was possible—we’ve all gotten spam before—it was more disconcerting to actually be tricked by it. So, we talked to him about how he did it and what people can do to protect themselves.

Note: What follows is a rather technical write up, designed for more computer-savvy individuals. If you want a more basic rundown on avoiding spam and scams, we've got one of those too.

Our readers are a savvy bunch who aren't likely to be taken in by an online scam—but we've all got those friends and relatives we worry about. Here's our definitive guide to helping them stay safe online.

When training your loved ones how to keep themselves safe online, you should remind them of the rule your parents probably taught you: If it sounds too good to be true, it probably is. Using a little common sense goes a long way to realizing that you aren't going to suddenly win the Spanish National Lottery when you didn't even know you had a ticket. That said, here's a few tips that you should share with your less-than-savvy friends and family to help them avoid falling victim to an online scam.

Never, Ever Click a Link to Your Bank or Financial Institution From an Email

Legitimate banks or financial institutions like Paypal will never email you asking you to click a link to verify your information, reset your password, or login to view anything. You should simply create a browser bookmark to your bank, and when you receive an email, use the bookmark or type in the bank name manually into the address bar.

Combined with training your parents to look for the special lock icon in the address bar, this should prevent them from giving away their bank login.

Never Give Out Your Email Password

It's become a trend in "web 2.0" sites to ask people to invite your friends to join by entering your email address and password into their web site—but this is something you should always avoid. Not only will you most likely end up spamming all of your friends with invite requests, but some sites will keep that information and continue to spam your friends forever. Of course, that is secondary to the fact that all your password reset requests will go to your email address—so if the wrong people get your password, they can access your entire online life. You should simply never give that information out to anybody for any reason.

Use Strong Passwords (and Secret Questions)

If your password is as simple as your spouse's name, it won't even matter if you give your email password out, since it can be guessed easily by scammers or hackers trying to get in. You'll want to make sure to read our guide on how to choose and remember a strong password—but your security lesson doesn't stop there. The weak link in your email security is those secret questions and answers that most sites ask you to enter to help you reset your password. Even if your password is tough, often your secret question isn't—so you should make sure to protect your email account with strong secret questions.

Do Not Buy Anything from an Email You Didn't Ask For

The easiest way scammers get you is by dumping spam in your inbox for everything from cheap watches to fake male-enhancement products—which is not only going to be bogus but probably redundant. The easiest and simplest rule is to never buy anything from an email. Sure, you could probably make an exception for email newsletters from sites you trust, like Amazon, but remember—it's relatively easy for scammers to pretend they're Amazon, just like it's easy for them to pretend they're your bank. Just make sure that you aren't buying, or even clicking on, anything from an unsolicited email. (You can always go straight to Amazon and search for the product they're advertising.)

If you're out of work or just looking for a way to make some extra cash on the side, you should be very careful about the jobs posted on online sites like Craigslist, because there are scammers lurking there as well. It's not that Craigslist isn't a great place to look for jobs, but you have to be careful. Those jobs that say you can "Make $25+ / hour working from home!" or "Mystery Shopper Needed!" and promise tons of money for almost no work—yeah, they are completely fake.
The biggest thing to avoid is anything involving Western Union, Moneygram, wire transfers, money orders, or dealings with any financial transaction. The scammers will ask you to deposit a check or money order and wire transfer the money back to them—and it's not until later that you find out it was a forgery. I personally know somebody who was scammed out of $12,000 this way.

Do Not Give Out Your Personal Info or Social Security Number

This should go without saying, but no legitimate site is going to ask you to enter your Social Security number unless you are applying for credit. You should be very careful not to divulge your personal information to anybody online. The same thing goes for sites that ask you to re-enter your personal information, even though in some cases, like your bank, they should already have that information.

Learn to Use a Modern Browser's Security Features

The latest versions of Firefox and Internet Explorer have enhanced support for checking certificates from trusted web sites—you can click on the lock icon to see all the information about the certificate.

In addition, the latest browser versions maintain a list of phishing and malware sites, and will warn you any time you try and access a known bad site. Internet Explorer makes checking the URL even easier by highlighting the root domain name so you can more easily detect a new phishing site.

Ignore Web Site Popups Saying You Have a Virus

Last Friday half of my day was wasted removing a malware called Advanced Virus Remover from somebody's PC because they clicked an ad that said they had a virus, and then installed the "recommended" software, which proceeded to hold their computer hostage. These "scareware" viruses are becoming commonplace, and there are so many different names that it's impossible to keep track of all of them.

The simple solution is to pick a single antivirus app for your loved ones and train them to know exactly which one they have installed. My mom's PC came pre-installed with Norton Antivirus, and I've trained her to ignore any other messages unless they come from Norton—and that if she isn't sure, she should click the X in the upper right-hand corner of the screen, or even just turn the PC off entirely and restart it. It's not a perfect solution, and I'd rather have her using Microsoft Security Essentials, but she's used to it now and it's a whole lot better than spending a day removing a scareware virus from her computer.
In addition to this blog, I have authored the premiere book on Netiquette, "Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". You can view my profile, reviews of the book and content excerpts at:

 If you would like to listen to experts in all aspects of Netiquette and communication, try my radio show on BlogtalkRadio  and an online newsletter via have established Netiquette discussion groups with Linkedin and  Yahoo I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ Rider University and  PSG of Mercer County, NJ.