It’s that time of year again – when fraudulent and nuisance emails, and online hoaxes and scams start making the rounds even more quickly than usual.
Sophos has posted a warning about one such hoax spreading rapidly on Facebook where users are warning each other about a “Christmas Tree” virus – said to be carried by a rogue Facebook application. Here’s a example of the message that’s being circulated:
WARNING!!!!!! ….. DO NOT USE THE Christmas tree app. on Facebook. Please be advised it will crash your computer. Geek Squad says it’s one of the WORST trojan-viruses there is and it is spreading quickly. Re-post and let your friends know. THANKS PLEASE REPOST!
A little research (perhaps a search on a reputable site like Snopes.com) would quickly show that this is a hoax. But that doesn’t stop the message being widely distributed by worried Facebook users, and, at this point, the hoax is probably spreading faster than reports of genuine Facebook viruses (maybe because it has an easy-to-remember name rather than the obscure names given to viruses by software companies?).
Even if you’ve banned the use of Facebook and other social networks, similar hoaxes and scams are likely to be circulating by email in your organization. And they’re often very disruptive in the business environment if they’re distributed widely, and can also make it more difficult for you to warn users about real threats that they might face.
So, what should you do?
Two Things to Teach Your Staff
#1 – Spotting Hoaxes
First and foremost, you should teach your staff how to recognize a suspect email or message. There are some fairly obvious classes of scams and/or hoaxes such as:
- humorous hoaxes – amusing messages which can clog the email system, but aren’t generally malicious in intent
- chain letters – generally only intended to clog up the email system, but some carry malicious messages for those who don’t forward the letters which can cause distress to some users
- nuisance hoaxes – messages intended to worry or scare users but not much more
- malicious hoaxes – messages designed to persuade users to carry out actions that could cause damage – typically to their PC
- scams – emails or other messages sent with the purpose of financial (or other) gain – includes phishing, and spear-phishing messages
If you want some simple examples of email hoaxes and scams to educate your staff, I’ve included some taken from Cosaint’s course on ‘Secure Use of Email” course at the end of this blog post.
#2 – How to Respond
Once you’ve taught your staff about some of the signs to look for, you should teach them what you want them to do next. Do you want them to contact your Help Desk with queries, or should they be encouraged to determine for themselves if an email or message is fake and act accordingly?
If the latter, you should provide some suggestions for resources that will help them do this. I usually recommend Snopes.com but you might have other sources that you prefer – let me know if you have any suggestions, and I’ll add them to the list.
The following materials, extracted from emPower’s ‘Secure Use of Email’ course, are being made available to you for use in your own awareness program. Feel free to include them in your email security reminders or newsletters, or use them in staff meetings. If you’d like to see the original course, which covers this topic and much more, please contact emPower.
License for Use
This work by emPower, Inc. is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. Based on a work at emPower blog
Sometimes you’ll get an e-mail which warns you about a “virus”. Or it might alert you to a wonderful “free offer”. Most of these hoaxes are designed to scare you and/or to waste the time of everyone who receives them. But there are some malicious hoaxes which try to persuade you to delete a critical file on your computer. So you do need to be careful.
Remember! The only virus warnings you should pay attention to are those sent by the Help Desk and even these should not be forwarded. So, don’t spread hoaxes. If you’re not sure whether a warning is real, ask the Help Desk.
Example 1 – A Humorous Hoax – The Work Virus
This is an example of a humorous hoax. While it’s too obviously false to worry people, we don’t recommend that you forward it to your entire email address book since it only serves to clog up email systems.
Example 2 – Another Humorous Hoax – Bad Times
This is an example of a humorous hoax. There are various versions but all are very obviously fake! We don’t recommend that you forward it to your entire email address book since it only serves to clog up email systems.
Example 3 – A Chain Letter – Irish Friendship Wish
This is a typical chain letter. The only thing that a chain letter does is to clog up email systems so you shouldn’t forward them.
Example 4 – A Nuisance Hoax – Hackingburgh Virus
In May 1997, this email circulated the internet. There are a couple of pointers that this is a hoax. Firstly, the FCC doesn’t issue virus warnings of any kind. Secondly, the supposed virus has characteristics that no known virus exhibits. Since the recommended “advice” doesn’t harm users’ computers, one could classify this as a nuisance hoax.
Example 5 – A Malicious Hoax – SULFNBK
This is a malicious hoax which attempted to persuade readers to delete an operating system file called Sulfnbk.exe – a Microsoft Windows 95/98/Me utility used to restore long file names. Sadly, many people panicked and deleted the files from their computers needlessly, causing considerable work for system administrators.
Example 6 – A Scam – Nigerian (or 419) Scam
This is a form of scam that can be traced back to the 1920’s or earlier and is sometimes known as the “Advance Fee Fraud”. Someone has a large amount of money that needs to be moved and they can only do it with your help. They offer to set you up as a business partner where you set up a legitimate bank account and let them use it to transfer the cash – often millions of dollars. So all you have to do is to send them some money – maybe $10,000 or so to start the process …
These days, the most of the scammers use email and a lot of them – albeit not all – seem to be based in Nigeria hence the name used to describe the scam. You can find out a lot more about this form of scam on Wikipedia.
