How Do Cybercriminals Make an Email Sound so Authentic?
Email or phone call scams are not new; cybercriminals have been attempting to fool people for years. Older scams like “You Won the Lottery” or the infamous “Nigerian Prince” are created as generic messages sent out to millions of people. The non-specific nature of these messages makes them easier to spot. More recently, personalized scams are more difficult to detect, where cybercriminals use hacked information to create customized messages for intended victims.
One common cyber-scam tactic includes fear and extortion to force you into paying them money. The attack works like this: cybercriminals obtain or purchase user account names and passwords from hacked websites. They then send you (and everyone else in the database) an email containing personal information that only you should know, such as an old password. The criminal refers to this password as “proof” of having hacked your computer or device, which is, of course, not true.
In almost every situation like this, the cybercriminal never hacked into your system. They don’t even know who you are or which websites you’ve visited. The scammer is simply attempting to use the few personal details they have about you to scare you into believing they hacked your computer or device and coerce you into sending them money. Remember, bad guys can use the same techniques for phone call scams.
It’s natural to feel alarmed when someone has personal information about you. However, remember the sender is lying. The attack is a part of an automated mass-scale campaign, not an attempt to target you directly. It is becoming much easier for today’s cybercriminals to find or purchase non-public information, so we expect more personalized scams like these in the future.
What common clues should alert you to a scam?
- Highly urgent email, message, or phone call, be very suspicious. If someone is using emotions like fear or urgency, they are trying to rush you into making a mistake.
- Demand for payment in Bitcoin, gift cards, or other untraceable methods.
If you receive a suspicious email, check the Recent Email Scams tab within the IT System Status Center to see if it’s been reported. If you have concerns about a specific email, you may report the email to OIT via abuse@utk.edu or contact the OIT HelpDesk.