June 24, 2011

Let's Talk Email

The other day I was blogging about LulzSec and I mentioned a few things you need to look for before you click that link. But I need to add to what I was saying in that post. 

Do you pay your bills online?  Shop online?  Bank online?  If so, you have an entire category of emails hitting your inbox that you should never click on. 

Basically - all of them. 

Ha - bet you didn't think I was going to say that did you. 

All of the sites you visit regularly, especially those involving money, should be bookmarked.  

Every. Single. One. 

When you get an email telling you your credit card bill is due... DO NOT click the link in the email. Is there a sale?  DO NOT click the link. Special offer from your bank? DO NOT click the link.   Got it?

Sure it's easy, it's right there, what could possibly be wrong? Why go to the extra trouble of finding a bookmark and using that instead of the convenience of saving 10 seconds and clicking the email link?

Database breaches. That's why. 

It wasn't too long ago that Epsilon, an email marketing company, had their databases compromised.  Data stolen.  The bad guys got enough information to create very credible emails.  Emails that would look exactly like an email you would normally receive from the companies involved.  They would be able to call you by name and it would appear to be legitimate.  

So if your email was clockwatcher @ mymail.com and your name was Susan Johnson.  You would receive an email addressed to you - Susan.  Not to "Dear Customer" or "Dear Clockwatcher". 

One scenario is this: You click the link, it takes you to a fake login page that looks exactly like the page you are expecting. You've been here before and you know what it looks like. You try to log in. You hit enter, the page goes away, but comes right back to the login page.  You think "oh great what's wrong now?"  You try to log in again, this time it works.  You think it's a glitch in the system. These things happen.  

In fact what has happened is the first page was harvesting your username/password.  Then it redirects you to the real page so you don't even realize you've been had.  They now have time to use the information as they want.  This is but one method of grabbing your data - there are others. 

It's called Spear Phishing.  They are going after particular people with targeted emails rather than anyone they can get. 

You may think, well, none of the Epsilon companies are those I shop at.  Okay, but what about the data breaches that have not been discovered yet? Oh you can be sure they are out there. What about the data breaches that may not be discovered?  How much extra time do you have to get extra charges off your bill, get your money back in the bank, get your identity back?  

It's worth a little extra hassle to either type the url in by hand (most browsers will even auto complete it before you get too far) or click a bookmark.  If it's a sale, you can then find the sale page and/or enter the promo code from the email.  If it's a bill, you can then pay it. And you will know you're in the right place. 

If the company has made it impossible for you to get to the right page on their site without clicking through their email, you need to loudly complain that they are putting you at risk and you want them to stop or you'll take your business elsewhere. 

It's a simple thing to do. Very simple. It may save you major pain.  Consider this some friendly strong arming... don't click that link! 

Posted by: Teresa in WebTech at 10:56 PM | Comments (8) | Add Comment
Post contains 643 words, total size 5 kb.

1  Okay, we're convinced.

Thank you.

Posted by: Rev. Paul at June 24, 2011 11:24 PM (y+0ce)

2 Wow - good to know. I always go to the bookmarked website, but hadn't heard of this method of data theft. Thanks.

Posted by: Julie at June 24, 2011 11:37 PM (FZVGP)

3 This is such great advice, T!

Posted by: Joey at June 25, 2011 10:42 AM (3c2YW)

4 Thank you! 

Posted by: pam at June 25, 2011 12:37 PM (i3Kno)

5 I knew and I always use the bookmarks no matter what, but it's a good reminder.

Posted by: sheri at June 26, 2011 01:10 PM (Dlmrk)

6 I don't even bookmark them; I type in the full URL every time.  Either I'm really old-school or slightly paranoid.

Posted by: CGHill at June 26, 2011 06:04 PM (kxoUB)

7 You're all welcome.   
Charles, I use 1password - it has the url I need to use to log in to each of my places.  I click it, it takes me there and logs me in.  No other keystrokes.  I can just type in the url too, but this is easier for me to do.  As for bookmarks, well, any system can be compromised, it's just a matter of how paranoid one wants to be. For that matter DNS cache poisoning would absolutely defeat typed in urls... but we won't go there.  

Posted by: Teresa at June 26, 2011 09:04 PM (xE2iU)

8 Yeah, I feel about clicking email links pretty much the same way I feel about giving out my credit card number on the phone to someone who called me instead of me calling them.

Posted by: Harvey at June 28, 2011 09:57 PM (pTueD)

Hide Comments | Add Comment

Comments are disabled. Post is locked.
27kb generated in CPU 0.02, elapsed 0.0287 seconds.
69 queries taking 0.0165 seconds, 226 records returned.
Powered by Minx 1.1.6c-pink.