Never trust your email (or anything on Internet)
Posted by Yuri Arabadji on 01 October 2019 03:41 PM
In modern times, the rule of thumb when dealing with email messages is: DON'T CLICK on any links. Yeah, correct, don't click inside, on and around fancy looking HTML CSS-sprinkled emails, don't click on links inside plain text messages. Don't trust anyone unless you're entirely sure the other party was properly verified and identified.
You might think that email from a colleague requesting you to send a money transfer or asking to follow the link to reset the password, or asking for financially sensitive information is quite legitimate mainly because the colleague's address is in your contacts and has a badge and avatar, and all that, but you might've just gotten into a scam trap. Does your (the sender's, rather) company implement SPF? Does SPF evaluation qualifier return FAIL, or is that just a softfail, or maybe even neutral? Not good. It should fail for bad senders. Even assuming the message passes SPF validation, and possibly the DKIM signature is correct, it might've still been sent by someone who simply got access to account credentials. This is where PGP or S/MIME steps in. Use message signing whenever possible, but be sure to use externally connected hardware token, don't just rely on mail client or operating system software performing encryption/signing for you.
Got a random message stating your account was compromised, something was locked, someone was locked out, access denied, webmail stopped, Arctic melting, stonks falling, your files or data leaked? It's a scam for sure. Instead of clicking random links in random messages, you might want to type in the company address manually, then proceed to the desired site section of that company.
Really itchy to follow random links in random messages? We've got an advice -- right click (long touch) on link, copy link then paste that link into an incognito browser window. That way you will leak only your email address, your browser and OS/device version and your IP. And you haven't even clicked on any links or filled in any forms on that site yet. Any subsequent action on that site will result in collection of additional data from you. At this point we recommend that you stop interacting with the site unless you've verified the authenticity of it.
Here's an example of such "itchy" email, which is entirely legitimate, but at the same time is hilariously incompetent, sneaky and sleazy: "Important Notice Regarding Your Domain Name(s)" sent by ENOM (aka our upstream domain provider) with From field email@example.com and HTML-only message body with a request to check the accuracy of your domain contact records. It contains links that take you to a page on their site that displays contact info for your domains and a link at the bottom to "Update your contact information at Fused Network" linking to our (fused.com) site. The sender (name-services) didn't define strong SPF (it's neutral at the time of writing), didn't sign the message with DKIM and didn't publish a DMARC record. It's an ideal combination for scamming the hell out of you. On the bright side, the email includes your full name and lists the domain names you own, which would've been a good indicator of legitimacy unless all that data hasn't already been available publicly via historical whois records and via various data leaks.
And speaking of data leaks, you should really check if you've been subjected to a publicly disclosed data leak at haveibeenpwned.com. Don't rejoice too early if you haven't been, as you could've been present in private leaks that are yet to see the sunlight of public disclosure announcement (or, instead, the hands of shady crooks who would pay for owning it).
Stay alert and stay safe.