Daily life is flooded by email communication. Emails we are expecting. Private or personal messages. Newsletters. Order confirmations. Love letters or divorce documents. And then there is also the evil stuff. Spam. Phishing. Ransom threats. About 70% of the emails received by CERN are of the malicious kind. While the CERN mail team and the CERN computer security team are trying their utmost to protect you and your mailbox from those evil messages, sometimes some make it through…
The last line of defence against such emails is you. You being vigilant and alert. You being suspicious. Suspicious when the email sender is unknown to you (“When CERN.CH is not CERN…”). Or when the message does not make any sense. Or when the contents have no connection with your duties, your job or your private life (“I love you”). Or when it is written in a language you do not understand or speak. Or emails trying to frighten you (“An old scam in a new disguise”).
One recent example was when many staff members received a personalised message threatening to disclose very private pictures of them if they didn’t pay some money to the sender. Such ransom mails have no real basis and the contents are made up. The attackers just try to create fear, guilt and shame and to profit from a tiny percentage of people paying. Most worryingly for our colleagues, however, was that those emails were pretending to be sent from their own CERN email addresses! “Pretending” is the key word here. Emails are like snail mail. The message to you is enclosed in an envelope for the postal service. As with snail mail, the reality is not always what is written on the envelope, where sender addresses are subject to the creativity of the sender. Anything goes. Real sender addresses. Fake ones. Even putting nothing. And for email, it is exactly the same. The sender address displayed in your email client is just an indicator that can be spoofed. The sender might be correct. Or fake. It is hard to tell.
So, next time you receive and spot a dubious email, don’t trust the sender. Anyone can send an email as “Fabiola Gianotti (Fabiola.Gianotti@cern.ch)”. Instead, go ahead and check its “envelope” – its routing information or so-called “header”. In Outlook, open the email, find the “Tags” section and click on the little arrow in the lower right corner. The header information can be found under “Internet Headers”. In Thunderbird, open the message, go to “View” and toggle “Headers” to “All”. When using Mac Mail, open the message, choose “View → Message → All Headers”. And in Gmail, open the message, find the three vertical dots (“…”) to the right of it and select “Show original”. While there is lots of information that is irrelevant for you, try to find the “Return-Path”, “Reply-To”, “X-Sender”, or “X-AuthUser” fields. If the email addresses listed under those fields differ wildly from your “pretend” sender, it’s another hint that you should hold fire and not act on that message.
And since we are at it, also, do not trust any embedded links. Instead, hover your mouse cursor over that link’s text to see the real link:
Admittedly, sometimes it is hard to tell (“CERN has been phished again”; “CEO fraud”) and in those cases we recommend that you touch base with us via Computer.Security@cern.ch and we can help you judge whether it is benign or malicious. Just reach out to us!
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.