Arlene wrote me a letter…
How to protect yourself from email threats.
Yesterday, I received an email from someone who claims her name is Arlene. I miss Arlene. She promised she would get back to me within 24 hours.
Her exact words were:
I need your full attention for the upcoming 24 hours, or I will certainly make sure you that you live out of guilt for the rest of your lifespan.
Anyway, I have heard nothing from her yet. If she wanted my full attention, why did she not write back? This is getting ridiculous.
The email was SPAM. The only thing that caught my attention was that he/she/it mentioned a password that I vaguely remember.
The rest of the letter is full of misspelling and lousy grammar. I wanted to mention what you need to know, especially since it also had an unfounded threat in it.
I would never film myself doing that!
The sender also claimed that she (?) could see if my email had been opened. This was not the case, I opened the raw email to check. There is only two ways, at the moment, to check if someone has opened an email.
Web beacons are one way. A web beacon is a code attached to an image. The idea is to send an image as an external link rather than embedded. You can see a deeper detail here.
These images can be a single pixel, as long as you load external images when you open an email, the sender may know you opened it. One problem with this technique is that some systems will open and scan all your links. They do this to keep you safe from malicious links.
This is why some email clients do not load external images by default.
You can protect yourself from this by disabling it manually. Here is how to do it in the two big ones.
Yahoo: Go to settings -> Viewing email and choose ‘Ask before showing external images’ .
For Google, you do something similar: Under the ‘General’ tab, you have ‘Ask before displaying external images’.
Anyway, there were no links like that in this email. The reason is obvious, I could have checked where the beacon came from and thus track the sender.
The hunter becomes the hunted.
The email also ended with a bitcoin address to deposit the ransom. The sender feels secure that I cannot track it. Which I cannot do. But it is probable that we can track the user to an exchange.
What I learned from this experience is that an email can contain threats that are invalid. Be careful, but do not panic.
They design many emails that go out to make you believe that you are under threat. It is seldom real.
In fact, many phone scammers operate the same way. They tell you they need your password or personal information so they can save you. No bank would ever need anything from to fix any problems they have with their systems.
Hear this: Anyone who runs websites or banks can change your password and do what they want. The only exception are services that leaves the encryption key on your local computer. And they cannot help you when you have lost your password.
Examples are protonmail, MEGA.nz and keybase.
As a sidenote: Protonmail cannot read your email. That is due to legislation in Switzerland, where they operate. They also have written the software so that they could not read it even under pressure from outside forces.