Best Buy Doles Out Bad E-Mail Advice

If I had a nickel for every time I've run across the advice about being wary of e-mail message from someone I don't know, I'd be richer than Bill Gates.

And yet, the advice is wrong. It's not even close. Think: buy high, sell low.

A recent instance really got me riled.

After the Epsilon data breach, many companies e-mailed their customers with this bogus advice. One such company was Best Buy, the retailer that owns the Geek Squad. The Best Buy message to their customers included this:

"As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders."

This implies that there is such as thing as a known sender. There is not.

The real danger comes from email messages that appear to be from people/companies you normally correspond with, but are, in fact, from bad guys.

The next time you pick up your postal mail, look at the return address. Is it legit? Probably, but there is no guarantee. Same with e-mail.

Most of the time the From address of an e-mail message is legit, but, just as with postal mail, nothing prevents the sender from lying.

Forging the From address in an e-mail message is no harder than doing so with postal mail.

At least the Post Office offers a postmark. Mail with a return address in California, that was postmarked in Michigan, was actually sent from Michigan. There is no trusted third party that stamps or verifies e-mail.

Techies may suggest looking at the hidden e-mail headers. They can be useful, but e-mail headers too can be forged and they are hard to decipher.

(To see the normally hidden e-mail headers in Gmail, click on the downward pointing triangle next to the Reply button and select Show Original (thanks for the reader comment). In my version of Yahoo e-mail (there are multiple) look at the bottom of the e-mail message at the line with buttons on the left for Delete, Reply, Forward and Spam. On the far right of this line is a text link to show the full headers. In Thunderbird v2 and v3 click on View -> Message Source.)

Unknown senders are amateurs, the pros are more dangerous.

Conde Nast was swindled by an e-mail message that appeared to be from their printer.

The RSA employee that opened the malicious Excel spreadsheet certainly thought it came from a trusted source. Most RSA employees ignored the message because it was routed to their spam bucket.

The victim would not have opened a spam message that came from badguy@outtoscamyou.com. I don't know what the From address was, but I'm sure it appeared to be a known trusted person.

As I wrote about recently Epsilon was warned by Return Path about spear phishing e-mails that appear to come from friends or co-workers.

Then too, there is the common scam from a friend who is traveling, lost their money and needs you to wire them enough cash to get home. Your friend didn't send the message.

E-mail can be bogus even if the From address was not forged. This happened to me recently.

I got a message from someone I know suggesting that I purchase something. It seemed out of character, and an examination of the e-mail headers showed that the message originated in Russia. This, from someone who has never been to Russia. Someone whose Yahoo account had been hacked into.

The next time you are told never to open e-mail from strangers, realize that the person offering the advice, although well meaning, doesn't know what they're talking about.

You can neither trust nor assume anything about an e-mail message based on the From address.

Never ever.

Subscribe to the Security Watch Newsletter

Comments