How vulnerable are we in the cyberspace?

Lakshmi Kothaneth –
lakshmiobserver@gmail.com –

New Year greeted me with an announcement that declared me a winner of a luxury car and a sum of $900,000. Almost a millionaire!
A spam.
Even the thought does not sound real. Any way the letter I received in my inbox cheered me up by saying, “Your email address was selected through a computer ballot system draw from 1000,000 emails around the world, which includes America, Europe, Asia, Australia and Africa, as part of our international promotion conducted annually.”
Only five people are selected and I am one of them. Out of all those continents, I have been the lucky one. Today I can push it aside instantly as a spam.
But quite a few years ago, I remember being thrilled and asking my brother to fill out the details. He deleted it as quickly as I told him of my victory and gave me an explanation on spams and what is actually going on.
The business has not changed much. In 2017, I am still given an email ID to which I am supposed to provide the following information: full name, contact address, date of birth, gender, mobile phone and nationality. All that defines an individual’s identity.
If the trend is still going on, it means the business has been quite successful. There must have been quite a few vulnerable ones out there in all the continents.
My question is how do they get the email addresses? Where did I go that I should not have?
“They get it from people you communicate with. It’s being done by bots that are programmed to do so. That is why you receive false emails from people without their knowledge. Now how can you know whether a mail is genuine or fake? Every email address has a domain. Get the phone number from there and call the company,” said Tariq al Barwani, a leading IT expert in Oman.
There have been the expert advices. Fraudulent emails are often not personalised, says Norton.
Phishing.org says check the email address carefully. A secure website always starts with “https” and one should check the bank balance regularly.
There are many more such as grammatical errors and so on. The letter I received had two different email addresses.
There have been sophisticated ways of spamming and phishing as well as ransomware attacks. While many have been given a lot of attention, experts warn there are other problems that have not been publicised much.
There is more threat to organisations through email impersonation attacks. “Sometimes called whaling or CEO fraud attacks, they can cost organisations hundreds of thousands in financial losses. In fact, according to the FBI, impersonation attacks led to more than $3 billion in losses in the last three years.
There is nothing cheaper, easier and less risky for attackers than sending well-crafted and timely emails that creatively request for money to be sent to them.
Attackers don’t even need to use malware for this, they just need to be clever with their social engineering,” explains Mathew Gardiner, Senior Product Manager of Mimecast.
On the other hand, macro malware is still there. And anyone can be exposed to this problem because where macro malware often hides is in Word or Excel files. It has reentered the ring of popular attack methods, points out the expert.
“While most organisations choose to block executable email attachments at their security gateways by default, they generally still allow potential work-related files, such as Microsoft Office documents, to pass freely. Attackers exploit this by weaponising files in these common Office formats.
According to Mimecast research, 50 per cent of firms have seen email attacks that use attached macros increase over the last year.” Why? The answer is, “It works well and can get through traditional AV-based defences. And that’s why we’ll continue to see waves of macro malware into next year and beyond,” says Gardiner.
It all makes you wonder of the good old days where a letter from a CEO would have his/her signature and stamp to authenticate it. When you wrote a letter and sealed, you were at least 99 per cent sure only the recipient would read it. Your address and contact numbers were not in public domains.
I am not so sure about winning lotteries. The thought is intriguing though. What would you do if you won $1000,000?