I wanted to discuss a topic that everyone deals with at some point – email.
Specifically, how do I figure out if an email is valid? Have I really won millions of dollars from a lottery in another country? Does the president of my company really need me to send a purchase order for thousands of dollars right now? Does a foreign diplomat really need my help transferring millions of dollars into my country? Emails that use these approaches seem outlandish and easy to spot as fake, but a surprising number of people fall for these tactics every day.
Fake emails, also known as spam (but this is actually a different kind of email, with a different goal), phishing, spear-phishing, social engineering and other colorful names are sent by the millions every day to people all over the world. Many are far more subtle than the ones listed above. How do you tell what is real and what is fake?
There are all kinds of red flags that I can talk about, and methods of determining the validity of emails have been floated by information security bloggers and writers for years, but I offer this method as a quick reality check. I call it the KINDLY method. It is geared mostly to English speaking recipients, as much of the logic used is based on American spelling, speaking, and writing constructs, but it can be used by non-English speakers as well. Here it is:
K – If the word “kindly” is used in the asking portion of the email, as in “to secure your account, kindly log in with your username and password”, this is the first red flag. No English speaking person routinely uses “kindly” in this fashion in either writing or speech. This same idea holds true for other words and phrases that seem idiosyncratic and out of place, regardless of the language used.
I – Incorrect grammar and spelling. If the emails contains poor grammar or incorrect spelling, especially if purports to be “official correspondence”, it is most likely spam. This is, believe it or not, intentional, and intended to weed out the security aware from the suckers. Regardless of this, it is a major red flag.
N – No association. If an email comes from a company you do not do business with, such as a bank at which you have no account, it is most likely either general spam or an attempt to steal your credentials. If you haven’t ordered a package, don’t click on the link in an email claiming it is from UPS and has your shipping information attached. More than likely, that attachment is full of malware that will install onto your computer and cause mayhem.
D – Desperate timing. Evil emailers all want to create a sense of urgency. If they can rush you into a decision to click on a link or open an attachment, they have succeeded. Our logic breaks down sometimes when presented with urgent, time sensitive issues, even if those issues are fake. If the email states the matter is urgent, or payments are due today, or they have tried multiple times to reach you, more than likely the email is fake.
L – Links/Lottery. The letter L pulls double duty in this process.
- First, it stands for links. If an email has a link in it, you can almost always hover over the link (don’t click!) and see where it goes. If the email claims to be from Amazon, but the link goes to somewhere other than “amazon.com”, for example “amaz0n.com.ru’, a domain I just made up, but one that has some characteristics that should be pointed out. See how the “o” in the domain is actually a zero? Also, see that the domain seems to contain “amazon.com”, but doesn’t end at “.com”, but actually ends in “.ru”. Spammers, malware spreaders, and phishers all use tactics like this to make links appear to be valid upon first glance.
- Second, L stands for lottery. The plain fact of the matter is that NO ONE wins a lottery they never entered and you generally can’t be randomly entered into a lottery. Those millions of dollars you (supposedly) won in some lottery in another country are not real, I guarantee it.
Y – Yelling. Common Internet standards suggest that using all capital letters in an email, text, or post of any kind constitutes yelling. If you receive an email that uses all capital letters, especially when referencing large sums of money that you either won, or are available to you, you can rest assured it is fake.
So that’s it. The KINDLY method of appraising the validity of an email.