September - October 2017

Written by Mark Evilsizor
From his column Church Tech

Recently I learned about an uncommon genetic condition called Williams syndrome. A distinguishing characteristic of this disorder is that a person may be too trusting. One story told of a 9-year-old asking a complete stranger if she could go home with them. The article said sufferers of the syndrome “are literally pathologically trusting.” This reminded me of the way in which many of us conduct our digital lives.

We may live in neighborhoods with signs on our doors that say “No Soliciting.” And if some thoughtless soul deigns to ignore the warnings and rings our doorbell (always during supper), we will likely allow the intrusion to go unanswered. Occasionally, we may even peek through the door with a glare and declare, “No, thank you.” But thousands of solicitors beat paths to our electronic doors daily and some people not only open the door, they shake hands and invite them in by clicking on an email link. We trust too much.

Beware the Phishers

Most of the emails we receive are merely time wasters and cause no harm. But routinely I get an email with one solitary purpose—to do me harm. This is called phishing. The most common intent of phishing is to install software on a computer that allows the sender to control it. Once this is accomplished, the culprit may monitor our use of the Internet to obtain personal information, such as account names and passwords.

Selecting a bogus link might also make your personal computer part of a botnet. This is a massive army of maliciously controlled machines which may be rented by those wanting to attack a third party or other computers.

The most common intent of phishing is to install software on a computer that allows the sender to control it.

One type of phishing attack states that your username and password have been compromised. The email then offers to correct the problem—just confirm your username and password. If you do this, you hand them the keys with which they can impersonate you on the real site. We trust too much.

The most secure approach to email is to never click on any links, whether from a friend, a familiar business, or an organization which you are a part of, such as your bank, church, or school. It is quite easy to mimic exactly what a real email from another organization looks like. You can no longer rely on humorous grammar errors to give away those fake emails.

With the new school year beginning, a teacher friend received an email that appeared to be from the school district asking her to sign in to a site to retrieve important new classroom files for the year ahead. It seemed legit, but it wasn’t. She compromised her identity while giving the hacker a door to infect the district’s computers. The IT people were not happy.

If you receive an email notice from your credit card company, bank, or the IRS indicating an urgent need to resolve an issue, contact them by some means other than clicking on the email. You can phone, or visit their real website using a separate browser tab. Be sure to type in their website address directly rather than channeling through the email link. In this way you can respond to any legitimate alerts and avoid malicious ones.

For certain email interactions clicking on a link is almost unavoidable; however, you can reduce your risk of being phished. Here are a few suggestions.

Avoiding the Hook

Consider whether you are expecting an email from an organization at this time. If you just attended your annual insurance meeting at work, and the presenter mentioned that you would receive something, then the new email has a high probability of being trustworthy. If a friend says he will send a link to a great new book he is reading, then you can feel confident that the email from him is safe. However, if something arrives out of the blue, with no confirming context, and contains a link, then it should be regarded as suspect—regardless of the name on the return address.

If an email has no text and the message is simply a graphic image, it should be regarded as suspect. You can also hover the cursor over any links in an email to see where they point to. I recently received an email purporting to come from a vendor I work with. It looked like the real thing. When I hovered over the links, however, I noticed that some were legitimate, i.e., they had the company name and website in them, but some were to unknown entities in other countries, e.g., asdf.ru or xyz.fr. It is not too difficult to make these links difficult to discern, so when in doubt, don’t click it.

My wife is aware of the security realities of using the Internet, and she often says life would be much simpler if everyone would just be nice and get along. I agree, but until we are using heaven’s email server, we all need to beware and not trust too much.

Mark Evilsizor has worked in Information Technology for more than 20 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Views and opinions expressed are strictly his own.

Subscribe to eNews!