« Bad News for Investment Banks; Good News for the Rest of Us | Main | Whom Do We Regulate when the Phone Monopolies Are Gone? »

June 08, 2011

CC’ing Will Get Your Friends Speared

Now that many of us are wise to phishing – email that purports to be from your bank, for example, and gets you to expose your password or download a virus, a new form of email attack has been developed. It's called spearing because it's much more targeted than phishing. You get an email which appears to be from someone you know; it has an attachment or a link; you open the attachment or link; gotcha – you're infected. Or it asks you for some piece of information for a company or club directory; you supply it; gotcha – your identity is compromised.

How do the spearers know who knows whom? You told them! You didn't mean to but you did.

Here's how it works. You hear this really funny joke or read this really important message about avoiding viruses. You send it to all your friends by putting all of their email addresses in the "to" or "cc" field. Your friends go on and forward the email (and all the exposed addresses) to their friends. Someone who gets hold of the email by fair means or foul isn't a friend. Now they have a nice list of addresses of people who may well know each other. At the very least, they can guess that you know all of these people and they know you. So now messages addressed to group members and looking as if they come from a group member can be automatically generated by a robot or even crafted individually by hackers; the spears are flying and it's your fault! BTW, it's really simple to make an email look like it came from someone else.

So what's to be done when you have a real reason to send an email to a long list of people? Easy – put all their addresses in the "bcc" field (your email client may insist on at least one "to" address; if so, make that yourself). When you use bcc, the email won't include a list of these recipients. No one knows who else got the email; no one gets to learn anyone else's email address.

What if you get an email that has your address in it plus a long list of other addresses, some of them strangers?

  1. Don't forward the email even further unless you first delete the address list.
  2. Be sure to use "reply" rather than "reply all" so that you don't perpetuate the problem. This is very important for community groups who may not understand the consequence of openly addressing an email to all of their members, but commercial senders can be sloppy as well.
  3. Point out to the sender that he or she should have used "bcc".

Here's an example of a cranky email from me:

"I appreciate getting the report but pls use bcc for an address list like this. I don't want all these people I don't know to have my email address and they probably don't want me having theirs."

It drew an apology and a promise not to sin again.

I sent a warning about spearing with a link to a spearing story to my family. I immediately got an email back from daughter Kate noting that I put all of their email addresses in the "to" field and my email included a link so could have been a spear. She asked me if it was legit; good precaution on Kate's part and made me think about when it is appropriate to openly address people. My rules are that I don't have to use bcc if all the conditions below are true:

  1. All of the people openly addressed already know each other's email addresses or I'm deliberately introducing them to each other.
  2. There is some reason why it's relevant to each recipient to know who the other recipients are (even if just to keep them from forwarding to people who already got the mail).
  3. There are less than 10 (or so) addressees.

Kate's rule about asking before opening links or attachments is a very good one if you have any suspicion that the email is a spear.

Related posts:

Don't be a Phish

BCC – When and Why


| Comments (View)

Recent Posts

Why You Want to Use Free ChatGPT-4o Instead of Search

Tale of Two Districts

The Magical Mythical Equalized Pupil

Our Daughter and Family Doing What's Right

Human-in-the-Loop Artificial Intelligence


blog comments powered by Disqus
Blog powered by TypePad
Member since 01/2005