Threats

Send and Receive E-cards Safely

By Kim Boatman

When that Valentine’s Day e-greeting lands in your inbox, you’re sure to feel all warm and fuzzy inside.

After all, someone thought enough of you to send a personal greeting. But the question is whether that someone is thinking nice thoughts about you or considers you a potential victim. E-cards are prime vehicles for distributing viruses and other malware, and the bad guys’ efforts to reach you through these cards skyrocket around such holidays as Valentine’s Day.

They rely on your receptiveness of good-will gestures. “Your first thought is ‘Oh, let me open it,’” says Scott Stevenson, president and CEO of Eliminate ID Theft, an identity protection company. “It’s like getting a present from someone. You’re not going to say, ‘I’m not going to open it.’”

The bad guys are getting trickier
Recently, a recent fraudulent e-greeting card has been making the rounds. It claims to be from Hallmark, the reputable card company. However, the subject line contains a misspelling and reads, “You have received a greeding card!” The email itself, which encourages the recipient to click on links, has several more misspellings. 

But spotting malicious e-cards isn’t always easy, and you can’t count on these sorts of errors to identify them. The bad guys often use social engineering, among other techniques, to try to fool you.

When it comes to e-cards, be wary of these techniques:

• Appears to be familiar or a friend. A greeting might appear to come from someone you know, says John Bonora, owner and founder of Privacy Solution Partners, a privacy consultation and identity theft prevention firm based in New Haven, Conn. The bad guys sometimes go to social networking sites such as Facebook and get identifiable information about a person. They use this information in a greeting card so it appears legitimate.

• Uses common name. Fake e-cards may use more common names in the greeting, says Bonora. For example, a subject line might read, “You have an e-card from Mike!”

• Pretends to be a legitimate card company. Malicious types will send email appearing to come from popular card websites such as Hallmark, American Greetings and Blue Mountain.
• Creates fake e-card websites. Instead of targeting the e-card recipient, some criminals target the person who is sending one. They create fake websites to trap unwary victims, says Bonora. If you try to register at the site, you might be asked to reveal such personal information as a credit card number. Don’t do it!

• Asks you to install software. Most of us expect e-greetings to involve some cute animation. Characters dance to catchy tunes. Hearts float across a screen to a lilting melody.

Cybercriminals understand this and will ask you to download software to activate animation, says Stevenson. “By agreeing to do that, you are simply downloading malware onto your computer,” he says. “That malware could send information from your computer to the criminal, wipe out the directories on your hard drive, copy key strokes and peer into everything you’ve done on your computer for the last six months.”

What you can do
By now, you might be feeling less than warm and fuzzy about that e-card. However, you can take steps to protect yourself while still enjoying that electronic nod of acknowledgement from a friend. Take these precautions:

• Confirm with the sender. Before you open the e-greeting, double check with the sender. Sending an email to ask if a friend has actually sent an e-greeting can save you headaches down the road. If you send e-greetings, send emails letting the recipients know to expect the e-cards.
• Never click on links. Either cut and paste the URL into your browser or type it in yourself.
• Visit the card company website. You’ll often find helpful information on legitimate company websites. For example, Hallmark spells out its practices, letting customers know that Hallmark e-card notifications come from the sender’s email address, not from Hallmark. The site also offers instructions for forwarding fraudulent emails to Hallmark so the company can fight e-greeting abuses.
• Use e-card pickup services. Legitimate companies may provide a way for you to pick up the card from their websites rather than clicking on a link.

• Make your own e-card. “Simply attach a PDF,” advises Bonora. “Many personal-use software applications can create a nice colorful card that can be converted to a PDF file.”

• Update operating systems and antivirus software. Even the savviest computer users are occasionally fooled. That’s why it’s critical to install all patches and updates for your operating system and to maintain and run security software on a regular basis.

As criminals continue to get more creative, holiday greetings are just one more thing you have to be aware of,” says Stevenson. “This is a way to steal someone’s information and make money on it.”