Why do I receive spam?

Spammers collect email addresses (including yours) from a variety of sources including websites that you have registered your email addresses with. They then send you emails in an attempt to verify that your address is valid in order to start sending unsolicited spam messages, often as part of phishing scams.  Phishing aims to obtain sensitive information such as login or password credentials, credit card numbers or bank account details.  Often spam is responsible for spreading malicious code or spyware on to machines and transmitting viruses but it can take other forms.

Give me an example of an email virus infection?

E‑mail attachments are a primary source of virus infection.  As an example, you can receive an e‑mail, even from someone you know, with an attached file that is disguised as a document, photo, or program, but is actually a virus. If you open that file, the virus will infect your computer and potentially your network.

What else do they try and do?

Deceptive links in e‑mail messages are often used as part of phishing and spyware scams and can look as though they are genuine, but they can also be used to transmit viruses. Clicking a deceptive link can take you to a webpage that attempts to download malicious software onto your computer or encourages you to enter sensitive information into fake webpages. Use extreme caution when deciding whether to click a link in a message, particularly if the sender is unknown to you or the message itself, seems inappropriate or very vague.  Even when the message appears to be from a genuine sender it is always better to exercise caution in choosing whether to open a link – see further information below on spoofing.

Spoofing is the creation of emails with a forged sender address.  The sender address could purport to be from your own email address or simply be using just your name and any email address.   A spoofed email does not mean the alleged sender has been hacked.

Spoofing is a very common tactic used in phishing because the victim if more likely to open the email and act upon the contents when they think it has come from someone they know and trust.  The idea is to get you to give up sensitive information or convince you to take action such as opening an attachment (virus) or making a fraudulent payment.

You can recognise a spoofed email sent to you by looking closely at the name and email address of the sender or in more detail by checking the message header.  To check the sender in the message header, open the email message (by double clicking), click the File tab, on the Info tab, click Properties and header information appears in the ‘internet headers’ box.

Always be vigilant and exercise caution.  If in any doubt call the sender to verify the contents especially if the sender is asking for a payment to be made.  Do not reply to the email as your reply may go straight to the spammer.

What are Ventrus doing to protect us?

Anti-virus and Anti-spyware – Ventrus has deployed Anti-virus and Anti-spyware which automatically blocks the “known” viruses and phishing scams however this is an ever-evolving and hourly changing threat and new technologies are consistently being designed and deployed to circumvent these security products and spread malicious software.   Until those malicious technologies are deployed, the threat is unknown and patches will not have been developed therefore no amount of anti-virus or spamware will ever completely eliminate this threat.  It is therefore very important to remain aware of the risks and take the appropriate action.

What should I be doing to minimise the risk?

To reduce the possibility of receiving spam emails there are things you can do to protect your email addresses and accounts, on your computer. The following tips will help you and your company combat the amount and type of spam you receive.

  • Limit the places where you post or register your business email address
  • Review the privacy policy of websites
  • Try not to leave too much personally identifiable data where it will be easily accessible.

What should I do if I receive a suspected spam email or an unexpected attachment or link?

Employees - If you receive an email from an unknown source or even a trusted source, particularly if it has attachments or links, makes requests for sensitive information or asks for a payment – the general rules are as follows:-

  • Look at the sender’s address, it might be an address you recognise at first glance but if you double click on the address or check the headers it could be something entirely different.
  • If the email has what appears to be a genuine link, hover over it to see the real address
  • Never click on any links or attachments: this is the simplest and most effective way to handle junk emails.
  • Ignore and delete the spam message
  • Never reply to a spam message as this lets the sender know it is an active account.
  • Never forward a spam message.
  • If you receive e‑mail attachments or links from a KNOWN SOURCE that you aren’t expecting, consider contacting the sender by telephone and asking them to verify that they actually sent the attachments or links before you open them.
  • Be aware that the email could be spoofed to look genuine, were you expecting a request for a payment? Is the payment for someone you’ve never made a payment to? Is it asking you to submit sensitive information or visit a website? Always exercise caution, check the header and/or make contact with the sender via telephone especially where requests for payment are concerned.

What else can the company do to minimise the risk?

Establish and enforce clear information security policies in order to make staff aware, educate staff to recognise security risks and follow the guidelines set out to protect them and your company.

Have internal security processes for payment requests whereby they are verified with a phone call.

Do not respond to these emails, by responding to spam emails, employees are actually confirming their company email address as a valid address to spammers.

Restrict the use of office email addresses for personal messages or participation in website newsgroup or chat rooms by employees.

Do not register your company email address on websites that you do not trust not to pass on your details to third parties. Ensure employees register their personal addresses with personal use websites.