Today I want to talk about five types of text-only emails. The majority of this form of phishing typically comes disguised as a link, attachment, or both. Text-only emails are frequently overlooked but can be just as dangerous as other phishing methods.
The first text-only email is the decades-old “Nigerian prince” (1) scam most of you have seen. These emails are not actionable, meaning there’s nothing to click on or download, but instead they fall into the “victim engagements” or “social engineering” category. Their purpose is to catch your attention through curiosity or scare tactics and force you to act or respond.
The next text-only phishing email is the oldest, but still very effective. It’s the “CEO/CFO scam.” The victim receives the email (2) from someone of power. It could be a CEO, CFO or another superior. If the victim responds to the engagement, they receive the follow-up email with a plausible story and request to wire money or buy gift cards for the fake executive.
The next email (3) is what I call “reconnaissance.” It is designed to confirm email validity. These emails may have nothing in them or will just simply just say “hi.” The hacker has two purposes for these types of emails: to validate if the email exists and to possibly receive confidential information (i.e., manager’s or peer name, email, and phone number) about the victim through an out-of-office reply.
Many of you have probably received the next email (4) at least once. It’s called an “extortion” email. These include the promise to compromise your computer and the threat to reveal private information about you if you don’t pay. One technique a hacker may use is to put a password you’ve previously used, and that they recovered from past security breaches, in the email’s subject or body. The password trick is used to convince you they’ve hacked your computer. Don’t fall for the bait. None of these threats are real.
The last one (5) is relatively new, and I call it “fake customer service.” This email will spell out a confirmed purchase of a high-dollar value. You obviously don’t recognize the purchase and are desperately looking for the number to contact someone about it. Conveniently, the email will contain a phone number to call for a resolution. The fraudster on the other end of the line expects your call and will try to do everything possible to extract personal information from you with the intention of committing identity theft or credit card fraud.
Ten out of ten times, these are safe to delete. Remember, the fraudster is waiting for the engagement. So no matter how plausible the message sounds, walk away.
And remember, be safe and always think before you click.