Blog

A Letter from the Easter Bunny – on Email Phishing and Other Spoofs

A Letter from the Easter Bunny – on Email Phishing and Other Spoofs

A Letter from the Easter Bunny – on Email Phishing and Other Spoofs

Consider the following scenario: You receive an email message from the HR department of a large international corporation inviting you to a job interview. The company is looking for a language professional with precisely your skill set. The offer sounds perfect, almost too good to be true. So, you look for the company online, the company URL (its address on the World Wide Web) matches the email address, and everything seems fine. Or is it? Read my new article on Translorial.com to find out how you can tell whether an email is authentic or could be a scam.

Webinar: Gone Phishing? Cybersecurity Essentials for Language Professionals – Recording Available

Cybersecurity

The recording for my webinar on cybersecurity essentials for language pros is now available on demand. To view the webinar and receive the handouts, visit the NCTA page here.

Specific topics covered include:

  • Passwords, passphrases, and hacking
  • Internet security: routers, Wifi, and VPNs
  • Securing other (mobile) devices
  • HIPAA, remote interpreting etc.
  • Phishing, smishing, spoofing and scams

Q&A for my webinar on scams targeting language professionals

Recently, I presented a webinar on scams targeting language professionals. The webinar is now available on demand, for free.

As announced during the webinar, I’ll be answering some questions that were asked during the Q&A at the end of the webinar.

Q regarding CV theft scam: Why do you call it “identity theft” if they are substituting their contact information for yours in the CV theft scam?

A: Sometimes the scammers do not substitute the entire name, only the address/phone number; sometimes they substitute part of the name. In many cases this suffices to ruin the actual translator’s reputation. Thus, while these scammers may not ruin your credit score, they may be able to ruin your business. For more info, see the Translator Scammers Directory.

Q: My email address is only listed in the directories of professional associations. How do these scammers get my email in the first place? Did they hack the association website?

A: I believe I can answer this question in my capacity as webmaster of the Northern California Translators Association (NCTA). The NCTA website has not been hacked. I can’t speak for other associations, but NCTA (and also ATA) has implemented various measures to deter robots from crawling the site and obtaining member emails automatically. However, since our members want to be found by real human clients, there’s no 100% foolproof way to keep scammers out, but let clients have access to the member database. In fact, a couple of weeks ago I checked the access logs for the NCTA website and noticed that a particular IP address spent hours going through the member database manually and extracting members’ email addresses in painstaking manual labor. I have since implemented another measure that makes such an endeavor even more cumbersome for scammers, while hopefully not deterring real clients. Since our members want to be found by humans, there are only so many security measures I can implement as webmaster. In the end, it’s up to the individual member to discern whether an inquiry is from a real client or from a scammer.

And when in doubt, all associations have discussion forums for members, where the members can ask other members in case of a suspicious inquiry. For ATA members, there’s the ATA Business Practices forum, and for NCTA members, there’s the NCTA Members forum.

Q: How does email spoofing work exactly?

A: I’ll spare you the overly technical details. But basically, the “from” email address that’s displayed in an email program is only a label that can be changed relatively easily.

A good analogy would be an old-fashioned physical letter. The recipient’s address must be correct in order for the recipient to receive the letter. But the sender’s address can be any address you want if you just put the letter into a mailbox, with sufficient postage, of course. However, you can still figure out where the letter was mailed from, by looking at the postmark. The postmark identifies the post office that accepted the letter, which may be entirely different from the address that’s written as the sender’s address.

Similarly, every email carries the identification of the sending server in the email header. That sending server’s ID can be entirely different from the “from” email address, which can be fake. The sending server ID, however, cannot be faked. I explain in the webinar how to display and decipher the full header of an email.

Q: Do you have any general tips in regards to cyber security?

A: This would fill another webinar by itself, but in a nutshell: Always use a secure password, and never reuse the same password for all your online logins. You can use a password manager or some other system to construct safe and secure passwords. Always run antivirus software on your computer. Then, always have a recent backup of your computer, in case you do click on the wrong link and get a virus. This also helps in case your computer motherboard or hard disk decides to fry itself to a crisp. And never give out too personally identifiable information to random people on the Internet.

Q: If I receive a phone call, how can I tell whether the phone number is spoofed or not?

A: You can’t, really. In case of a company or other business client, I would recommend replying that now is not a good time and you’ll call back in 5-10 minutes. Then I would search for the company in your favorite search engine and call them back under the number stated on the website. You may then be on hold and/or transferred to the right person, but this way you can be sure that you are actually talking to who they say they are.