Social engineering email attacks are scary

It seems the quantity of spam isn't the problem anymore!
It seems the quantity of spam isn't the problem anymore!

When it comes to computer security, with the exception of certain operating systems produced by an obscure software company in Redmond, the weakest link in computer security is… us.

For the longest time I haven't worried about security when it comes to email, and I suspect most of us haven't. We don't open email attachments, we don't click on links embedded in spam messages; web email systems like Gmail even disable images unless we explicitly declare we want to see them. These systems work on a system of trust; if we trust where the messages come from, we eschew these precautions.

What's disconcerting is the rise in socially engineered attacks. These are emails (or instant messages, or Tweets, and so on) that instead of being sent in bulk are tailored to the person they're being sent to. In a similar manner to Trojan Horses these emails are written disguised as a message from a loved one, colleague or grilled cheese sandwich and are designed to pray on our trusting nature of said parties to deliver their malicious payloads, whether they be attachments or links to websites with malicious code or downloads.

ASIDE: To be fair this isn’t the only attack that leverage trust. Many email worms propagate by sending copies of themselves to people in the address books of a host’s infected machine. This is still on the surface an indiscriminate blanket attack though not real social engineering.

As of this afternoon I've now had three such emails sent to me: one person had the gall to masquerade as my dead mother. I've decided to assume this person saw my mum's name written here several times and thought they'd use it not realising she died young from a terminal condition.

But we're getting sidetracked. The point is these attacks are real and are happening. This turns the trust model we've been taught on it's head; indeed we should now suspect every message we receive. Verify the person sending it is who they claim to be by checking the email address and if necessary the entire header of the email itself given email addresses can be spoofed. Our language is like a finger print: if they're writing doesn't sound like them it may be cause for concern.

My Facebook inbox… another thing to check!
My Facebook inbox… another thing to check!

Is it any wonder people are giving up on email and are flocking to services like Facebook or Twitter? These platforms have their own risks too, but at least 95% of Facebook or Twitter accounts aren't spam!

ASIDE: Pre-empting any comments that statement may generate along the lines of "but Ruben, 95% of Twitter tweets ARE spam, or at least silly nonsense" I counter with: "be careful with that joke, it’s an antique!".

I guess the honeymoon period with email is long over, time to move on. Whatever happened to the idea that everyone has their own certificate they digitally sign messages with?


This is one of about 5000 posts on Rubénerd. View the home page for the latest, or related posts also tagged with:

If you liked this post, feel free to buy me a coffee, leave me a comment on Twitter, or email me at Thanks :).