avoiding online/email predators and scams
TRANSCRIPT
Avoiding Online/Email Predators and Scams
By Larry Klusza, Bethlehem Area Vocational-Technical School, IT Dept.(Retired), October, 2021
Recently, there was an attempted “gift card” email scam directed specifically at Marie, a member of the NPOG
(Nice Public Organization for Good), by someone masquerading as NPOG President, Eugene Smith. We’ve all
heard of scams like this and some of us may have already been victims of similar scams. Online and email
scams are nothing new but this was disconcerting because it was directed specifically against a local
organization with a relatively small membership. It highlights the necessity of awareness and knowledge of
such things, so as to avoid being victimized by online predators. Thankfully, Marie became suspicious early
enough that it was caught in time before any real harm was done.
How to Spot a Likely Scam:
Email Address, Grammar, and Punctuation: Unlike smart phones, your email app in your tablet or home computer can also tell you the email address of
the sender who sent you the message, regardless of the name in the “From:” line. It’s referred to as the
“replyto:” or “mailto:” When you view a message on your tablet or computer, you can see the address right
next to the sender’s name that will be used if you reply to that message. An example is circled in red in the
picture below, right next to Eugene’s name. This is the first tipoff that something suspicious is happening,
especially since Eugene’s official NPOG address is [email protected].
Notice the punctuation errors circled in green in the picture above. To be fair, some people can’t type well
when trying to email from their smart phone, but in this case, I didn’t think so. Additionally, I don’t know of
anyone in the organization who refers to the organization when writing as the “NPOG” using the quotation
marks. In the “Subject:” line on a follow-up email, the person pretending to be Eugene referred to the
organization as the N.P.O.G., which is something I’ve never seen before, either. The crook also used Eugene’s
On August 19, 2021, at 4:07 PM, Eugene Smith <[email protected]> wrote:
Hi Marie,
I need your assistance, are you accessible? I’m out of town , I need you to handle
this on my behalf for “NPOG” . We need some gift vouchers for gift to assist
Veterans at hospice care with preventative items due to COVID-19. . Regards,
Sincerely yours,
Eugene Smith
President
“Kindness is a language that all can understand” – Mark Ruddle.
Disclaimer: The story related below actually happened. The quotations as well as names of the organization and people involved
have been changed to preserve their privacy.
official signature, including his quote: “Kindness is a language that all can understand” – Mark Ruddle. Now
that was creepy and was what really caught my attention (more on why in a minute).
Aside from our home-grown scammers, many of these crooks are also foreigners. One clue that the person
may be a foreign national is the sometimes awkward sentence structure and use of American English. In the
picture above, “Eugene” says he needs “assistance” and is Marie “accessible” rather than “help” or
“available”. In subsequent replies, there were other examples that helped raise suspicion. Knowing Eugene as
well as she does, Marie said that when reading the message it just didn’t “sound” like him.
Given this possibility, I performed a WHOIS search for Marie on the roucsoo.com domain name. Indeed it
turned out to be registered to an anonymous source in Germany. Well, for a German, the English wasn’t bad
but it wasn’t good enough either.
Lessons Learned:
Security Really Is Important For me, the single most alarming aspect of this whole incident was that the scammer had access to the email
signature that Eugene uses exclusively for NPOG communications. Here’s why:
It means that someone else is reading an NPOG member’s email (Yikes!). It means that a scammer
somewhere, somehow, managed to get access to an NPOG member’s computer or smartphone
contact list.
The victim can be anyone with whom Eugene communicated in his official capacity as president,
including Eugene himself.
Such things can be accomplished by any sort of malware that gets secretly installed without the user’s
knowledge or permission as well as by visiting strange or questionable websites.
It can also happen by clicking on a link in a fraudulent email.
Remember, it’s a jungle out there. A user’s best defense is a strong password coupled with security software
of some type that is both kept current and used often. Whether your Internet device is a smartphone, tablet,
or personal computer, your data is at risk every single time you turn the device on or access the Internet. This
requires security software designed to combat viruses, spam, and malware. They are available individually for
those specific threats. There are also programs available that combine all these functions that are marketed
as Internet Security Suites. These security suites coupled with good password discipline are vital in today’s
communication environment.
Strong Passwords Are Not That Hard to Create First of all, it goes without saying that passwords should never be real words. Examples are your birthday,
anniversary, your pet’s name or your mother’s middle name, favorite color or anything that can be associated
with you. And it should absolutely never be something as silly as 123456, although it’s likely that millions of
people are doing that at this very moment. So, what can you do to have a strong password that you can
actually remember?
Here’s a simple method to create really strong passwords. Ready? We all have favorite songs, poems, TV
show quotes or quotes from famous people that we can recall effortlessly without fail. Write one down on a
piece of paper. OK, now take the first letter of each word in that quote or saying that you know so well and
add a few numbers and a punctuation mark to it. Here’s an example for someone named Scott: Scott is a
beer drinker and likes it so much that we tease him that he could happily drink it any time of day, sort of like
an alternative food source. Simply put, it’s been said that “Scott could drink beer 24/7!”. So, by using that
quote we build a password that would read: Scdb247!. This would be considered quite a strong password as it
contains at least 8 characters, has mix of upper and lower-case letters, contains numbers and a symbol. It’s
also not a real word so it’s more resistant to automated hacker programs. Best of all, it’s something that you
can easily recall without even trying.
One more thing – please don’t actually use the example I just gave, as I have been using it when teaching
about passwords for years. Consider it in the “Public Domain” and therefore known to everyone, kind of like
“123456”.
Security Software: Free vs. Paid Versions Using free versions of these types of products are better than nothing, but paid versions are better. Why?
Well, let’s consider how they work.
Antivirus programs like Norton’s, AVG, Kaspersky, or Comodo among others have to be made aware that the
virus exists in order for a response to be created and supplied via an update. How? The only way is for the
new virus or malware to be reported by some hapless victim. If you’re lucky, your program will flag a file as
suspicious and quarantine it even though it can’t identify it completely. This provides you the choice whether
to submit it for review or not. If a submitted file is found to be malicious, a response is developed and made
available to users in the form of an update.
Generally speaking, updates reach subscribers first via the automatic update features that are exclusive to the
paid versions. Coming with no or limited support, most free versions instead require you to check for updates
manually (and how often do we really take time to do that?). The thing to remember is that any virus or
malware may be loose out in the “wild” a considerable amount of time; weeks or possibly months, before it is
reported and a response developed. The bottom line here is to get a paid version of a reputable Internet
security product and not only keep it updated, but to run scans regularly as well to quarantine suspicious files.
Bonus Advice: Give Complex Tasks the Focus They Deserve Certain tasks naturally allow for multitasking. For most folks, walking and chewing gum come to mind.
However, thinking of what you would like for supper while trying to disarm a bomb or texting and driving?
Not so much. Sometimes, tasks require us to manage complex information and apply judgement in the
process. These kinds of tasks require more focus than we could otherwise provide when trying to juggle
multiple thought processes. Something will certainly fall through the cracks, often to our detriment (again,
texting and driving come to mind).
Now, consider the written communications you receive from people whom you know personally. Whether in
the form of a hand-written card, letter, or email, you can often “hear” them speaking to you as you read the
message because you know them personally and are fully focused on the communication. This is especially so
when we get a letter or email from family or loved ones. When she reviewed her emails with “Eugene”, Marie
was more completely focused and easily noticed the spelling, punctuation, grammar, and other errors in the
emails as well as the email address itself; enough to cause doubt as to the alleged sender’s true identity. She
also realized that she likely would have figured it out sooner had she put off answering until she could bring
the appropriate level of attention to the communication. Because she was distracted while initially dealing
with the email, she almost became a scam victim to the tune of $500.
Tips for Good Security: 1. Create strong passwords that are easy to remember. It’s not as hard as you think if you use the
method presented in this article.
a. IDs are one thing, but please resist the urge to let your Internet browser store your passwords.
If you get hacked, the hacker now has your passwords as well as your contact list and Internet
bookmark or Favorites list. Instead, enter passwords manually each time you login to a site you
visit routinely.
b. Using 2-factor authentication is extremely helpful in combating imposters as well.
2. Have separate email accounts for personal and business use. This can limit the damage if one of the
addresses becomes compromised.
3. Purchase and use good Internet Security or threat specific anti-virus, anti-spam, and anti-malware
products.
a. A simple internet search for “The best Internet Security Suites for <Insert Current Year>” will
yield significant results.
i. For myself, I tend to look at the lists from PCMAG.com and tomsguide.com. They
include all the major players and list the pros and cons of each. Beware though; some of
the prices can be a definite eye-opener.
b. Run scans regularly, don’t just keep them updated. How often? As often as it takes for you to
sleep at a little better at night.
4. Know who you’re communicating with.
a. If at first glance the message seems strange, examine it again using the aspects discussed in this
article. Does it check out?
b. If it checks out but still sounds strange, give the person a call or text to verify that they actually
are the sender. No shame there.
c. If the communication involves something important, don’t deal with it until you have the time
to focus and process it properly.
i. However, it’s considered a best practice to let the sender know that you can’t deal with
it at that moment, but will do so as soon as you’re able. It’s also helpful to give an
estimate as to when you expect to address the issue.
5. Under no circumstances do you open an attachment or click on a link from anyone until you’ve
satisfied tips #3 and #4.
Being a retired IT professional, Marie’s experience bothered me enough that I felt compelled to write
something about it. I hope you find this information helpful.
Regards,
Larry Klusza