Introduction

Structure

• Spamming
• Phishing
• Bombing
• Spoofing

Objective

Popular email-related cybercrimes

• Spamming: Unwanted, bulk emails sent to recipients for some motive such as advertising, stealing personal information, installation of malware, or selling illegal/prohibited items. Often it is called the negative side of email marketing:

  

  Figure 1.2: Spam email
  Example: Cybercriminals hacked Sumit's email ID and took over his laptop.
  When Sumit opened his email ID to check emails from school, he could not log in. So, he filed a hacking complaint. After a police investigation, it was found that hackers performed an extensive search on Sumit activities, crawled his social media accounts such as Facebook, Twitter, Instagram, and found his date of birth.
  Almost researching for two months, the cybercriminals sent him an email with some attachments pretending to be his school administration authority. They chose a very catchy subject to grab Sumit's attention, made him download the attachments, and malware was downloaded onto his computer, and attackers got access to his laptop and webcam.
• Phishing: Cyber criminals impersonate individuals, organizations, and so on via emails. These fraudulent emails may appear from various government organizations such as the income tax department stating that you have not filed the income tax return on time, so you have to pay the penalty; it may pretend to be from a bank asking to update your KYC details; they send an exciting sale to offer free shopping voucher or cashback offer, or they may send threatening email stating that your email account will be closed if you don't respond to this email. As you click on the mentioned link in the email, it directs you to a fake website which is a look-alike of a legitimate website. An email related to corona update is a new phishing trend.

  

  Figure 1.3: Phishing
  Example: Victim receives an email from appearing to be from World Health Organization (WHO). The email had content related to COVID update and a weblink about coronavirus map update. On clicking, it directs him/her to a web page that asks for his personal information and address. On mouse click, this webpage installs malware to steal sensitive information from the device.
• Email bombing: Cyber criminals send a large number of emails in a very short span of time to flood your inbox using automated programs. It results in bouncing of emails as the email quota exceeds. Due to this, you may miss important communication, which may further result in the hanging of the webserver. Normally, official emails are the target as cyber criminals may have various intentions, such as taking control of your email id and harming the mail server by performing a denial of service (DoS) attack.

  

  Figure 1.4: Email bombing
  Example: A web hosting company was noticing heavy traffic on its web servers for some days, which was unusual. One day, many of its customer's websites go non-functional. After investigation, it was found that one of its competitors hired some hackers to launch an email bombing attack, due to which the company's web server was down and unable to perform.
• Spoofing: Emails are created with a forged sender address; often, the sender pretends to be someone known to the recipient. In spoofed emails, the sender's real identity is hidden, and he intends to get the recipient's financial details either by luring the recipient or by installing malware.

  

  Figure 1.5: Spoofing
  Example: Anjali Gupta, who works as a call centre executive, receives an email that appears to be from her office. As per the email content, the company offered her cashback on the purchase of groceries from an online portal because her performance was outstanding during the lockdown period. She has worked very efficiently. A link was mentioned in the email, and Anjali was asked to provide some banking details. Anjali followed the email instructions, and fraudsters called her pretending to be her office teammate and asked to share bank OTP. Anjali shared the OTP, and Rs 25,000/- were deducted from her account instead of credit. After investigation, it was determined as a case of email spoofing; Anjali did not crosscheck the email address properly and was trapped by the cyber criminals.

  

  Figure 1.6: Spoofing example

Email-related common tricks used by fraudsters

Preventive steps to protect your email ID

• Use a strong password. At least more than eight alphanumerical characters, for example, E7rQ#@$ut%^!M.
• Always scan the attachments (.zip, .exe, and so on) before opening them.
• Never click on links received in emails from strangers.
• Ignore/delete spam emails.
• Don't fall prey to gifts offered by the unknown in email.
• Never share your real date of birth, birthplace, geographical location, and other private information on social media.
• Implement two-way authentications. To activate it, add your phone number by accessing email account settings. Whenever you access your email from a new device, you will receive an SMS code for additional verification.
• Verify your email ID's login history to make sure that only you had opened your email account.
• Provide an alternate email address and phone so that the email service provider can contact you in case of suspicious activity.
• Check your recently used devices to check your email and see if there is any suspicious activity.
• Manage permissions for apps that are linked to your email account.
• Never disclose your password to anyone.
• Never save your password on any device.
• Crosscheck the website authenticity; look for URLs such as spelling, padlock (https) in the browser.
• If your email is compromised, contact your email service provider.
• Avoid similar passwords for multiple email IDs.
• Avoid free, public, and unsecured Wi-Fi.