You sit down at the breakfast table with your coffee. As the yawns squeeze out of you and you wipe the sleep from your eyes, you pull out your phone to catch up on your emails.
Just routine stuff… spam, spam, free offer, Amazon invoice – wait, what’s this? Your cuteandreallycuddlyfluffypuppies.com account has been compromised and needs your immediate attention! 😱 You click the link to reset your password, glad you caught this email before it was too late.
You follow the prompts on the next screen and fill out your new password… little do you know, your cuteandreallycuddlyfluffypuppies.com account has been compromised. By you. Right now. That was a fake link from a fake address, and they got exactly what they wanted out of you!
Sound familiar? This is one of the most common tales of how scammers find their way into someone’s defenses. As digital security continues to improve, there is still one glaring vulnerability to even the best system – the human behind it!
Welcome back to The Guardian Papers, where digital heroes can get the base training they need to thwart villains’ underhanded attacks against them across the web3 world.
Email is often where scammers have a chance at getting directly to you. One miscalculation or momentary lapse of attention to detail could cause you a lot of hassle, so you’ve got to know how to keep yourself safe.
Miss a previous edition of The Guardian Papers? Catch up below!
Email: Your Security’s Back Door
First off, we definitely don’t want to imply that email is inherently insecure – many email providers have excellent security protocols put in place, and there are tons of tools out there for anyone who wants to beef up the actual protections in their email. The problem with email security is the person behind the keyboard… and it’s a vulnerability that isn’t going away.
Your email is a direct line to you. No matter your security infrastructure, if you’re getting a scammer’s email in front of you, you’re probably going to read the words they wrote. This direct access is the dream of all those fake Discord admins and help desks. They want that direct line so they can exploit your trust… because your security systems work for you. If they convince you, your security isn’t an issue.
For most people, email is the height of routine. When you are checking emails, you’re performing the same ritual you’ve done thousands of times. You may have many email accounts, only adding to the volume and frequency of your email checking ritual. When you do something day in and day out, over and over, you eventually become less attentive to the process overall.
As something becomes part of your routine, you eventually sort of automate it in your mind. How many things do you automatically do throughout the day without any real conscious thought? It’s the same for email. While the part of your brain that reads and parses the information in the emails may be present, other parts of your mind have moved on to other tasks.
This leads to some easy wins for scammers that would never work on your while at full attention.
How Did They Find Me!?
Honestly, how wouldn’t they find you? It’s important to remember that our data is everywhere, and we don’t typically consider email addresses private data. If it’s ever been out there, it’s still out there probably.
Let’s say Billy has a private, personal email address that he typically only shares with family and close friends, then he has another that he uses for work. Billy’s dad is fond of forwarding emails on occasion, and so drops a long chain email forward into Billy’s inbox once in a while. Billy’s friend Sally CCs him into a monthly newsletter that she sends out for their Karaoke Club. One day, Billy starts seeing large amounts of spam coming into his personal email account! 😨
What happened? Well you see, Tyrone from Karaoke Club was trying to get his friend Trevor to come to last month’s championship, so he forwarded him the newsletter. Trevor’s email account was compromised and the inbox contained Tyrone’s address, along with the CCd address of every other member of Karaoke club. Welcome to a list, Billy.
Let’s be honest though, it’s probably not the first time Billy has gotten scam emails at that address. He used to have it visible in his Facebook about section for years, and it’s still listed on an ancient and forgotten DeviantArt portfolio along with his real name. Also, he’s had this account for a long time and emailed lots of people. Each of those is a chain that connects to his email address. If any one link is discovered by the bad guys, the whole chain is in the open.
After that they can do a surprising amount to learn your behaviors. With a full-feature email service, they can theoretically tell exactly when you open the email, your operating system, your geolocation… all sorts of stuff that isn’t exactly secret, but gives you the shivers that they could know. Once they have this, it’s not hard to generalize demographics and predict who would be receptive to what scams.
Wolves Dressed as Sheep
Many of the ways people will attack you through your email fall right in line with our previous discussion about The Impersonator. In your email they know they have you in a format that you’re likely to overlook small details. If they know they can get past your spam filter, then they know there’s a good chance that you’ll at least click on their email.
They’ll try to mimic emails that you are likely to be receiving. There are lots of ways they could get an idea about what email lists you may be on, and not all of them are data breaches. A tracker in your browser could be feeding info about your behavior without necessarily doing anything nefarious to be flagged as malware by your safeguards.
Remember, legitimate businesses and individuals assign cookies and trackers all the time without any ill intent. We all click “Accept All Cookies” once in a while. Even if there’s just a .01% chance that any of those you click on has something harmful coming across, it’s just a matter of time.
Also consider that people are quite predictable with a large enough sample size. For every well-timed scam email you’ve ever received that seemed like they must be actually watching you, you’ve probably received two dozen weird ones that seemed to come out of left field. It’s just a numbers game. They’ll get it right sometimes.
If they’ve identified your email and the most likely services and addresses that can trick you, it’s only a matter of seeing what they can slide by.
In the case of this above example, the fake may seem obvious. After all, we’re here stretching our brains and thinking about scammers, but when someone comes across this email they may be distracted or in a hurry. Then, they could feel panicked that their MetaMask wallet has been compromised.
Notice that they color the email to draw the eyes directly to what they want you to see. The large notice at the top, and the button to “update now”. While we didn’t click that link, a quick mouseover revealed the target to be a proxy site, with a slug pointing to a long string of characters for a dAPP command. This link almost surely goes to a fake service site where you will be immediately asked to connect your wallet.
Oh, and also –“MҽtaMask”? That’s not an E. That’s an Abkhazian Che, a Cyrillic character that is entirely different from the latin “e”. If you’re not paying close attention though… it may be enough to not get them flagged for impersonation, while your eyes simply autocorrect that to “MetaMask”.
Also, check out that XM over there. That’s called a BIMI or Brand Indicator for Message Identification. These are verified trademark spaces, so a brand can submit a BIMI that won’t be copied anywhere else. This is a relatively new system that only works with some email providers, so you may notice a difference between impersonators and the emails they’re impersonating based on their mark. This isn’t always the case though, as some brands have not yet adopted BIMI… our emails here at Gala, for instance, do not ever use a BIMI.
That verification check mark doesn’t mean anything, it’s just part of the display name – like we saw with fake help admins in our imposter profile.
The dead giveaway is the return email though. Even half redacted, it should be pretty easy to tell that’s not from MetaMask. Why would MetaMask not send emails from their domain that users know and trust?
Straight to the Source
The important part here is that your email usually has your attention. If they can slide into your inbox, half their work is done. If they send out 10000 emails, what do you suppose the chances are that no one is careless enough to click without thinking?
That’s the end goal for these scammers. They know that most people in the digital world are protected in some way from bad actors, but they also know that you hold the keys to your security mechanisms. The best defenses in the world don’t mean much if you willingly click to their site and give them your information.
This is why The Guardian Papers are here. These scammers know that there is always someone to prey on because people aren’t informed. If we all know what to look for, the fruit they’re looking for gets waaaaay higher in the tree. Maybe they’ll just go find another tree to climb.
Digital Guardians
No one is going to ensure your security on the web. You have to take matters into your own hands and change behaviors if you want to be safe. While it may seem overwhelming to think of all the ways the bad guys can get to you, it’s really not that hard. If you learn the ways that they come at you, before long it’ll be easy to spot the attackers long before they breach your walls.
We learn. We teach. If everyone is equipped to deal with them, digital villains don’t stand a chance.
That’ll do it for this week’s Guardian Papers! We’ll be back though as we dive into common ways people use Discord and other messaging apps to prey on the unaware!
Stay safe all you Guardians and Galaxians!