Cisco Blogs

Mail – Got Mail? Got Criminals!

February 1, 2010 - 1 Comment

Who gets mail? We all do.

Mail arrives from a variety of public sector sources such as the court system inviting you to jury duty or county assessor providing you with the annual assessment and tax bill. You may also receive in your mail box your credit card statements, and personal correspondence. Perhaps your medical service provider or insurer mails to you an explanation of benefits. Merchants send you opportunities to appreciate their services. Similarly, we all have e-mail addresses; some of us have more than one. Our use of these addresses may be identical to that of our physical mail box. Sadly, the mail, both physical and electronic, is also used by the criminal world to perpetrate fraud.

Ask yourself this question: When mail is processed, arrives or is dispatched, where and how does this occur? Simple enough? Let’s discuss.

Physical Mail:

  • The Threat: Theft.
  • Office: Where do you receive and process your mail? In an attended or unattended building mail center? A locked or unlocked mailbox? Delivered to a designated individual or company mailroom? Post Office? Is it subjected to an x-ray security scan?
  • Home: Is your residential mailbox locked or unlocked? Live in a condo or apartment and have a shared mail facility? Perhaps you use the Post Office or a commercial mail box service?
  • Destruction: What do you do with your mail when you discard the paper? Do you shred your paper? Home or office, I suggest investing a bit in a cross-cut shredder. If you are looking at your business needs, assess your volume to decide the size that best suits your requirement. Which paper to shred? Shred anything with your name, account numbers, requests for subscriptions, statements, new credit cards solicitations, memberships, etc. Why shred? To protect your data — there is no reason to allow access to your disposed documents, which would allow others to engage in identity fraud or theft at your expense.

Whaling SubpoenaElectronic Mail: The 2009 Cisco Annual Security Report projects “In 2010, spam volume is expected to rise 30 to 40 percent worldwide over 2009 levels…” A serious amount of e-mail by any one measurement, magnified even more so when one realizes that approximately 97% of all e-mail hitting corporate systems is junk. Therefore, it behooves us to understand the methodology of the perpetrator. With such, we can identify within the noise of the spam the boat load of phish.

  • Phish: These take the form of e-mail designed to specifically get you to take an action — be it to respond to the e-mail or click through to a website. We have all seen these in our inboxes. Lamentably, there were those who took advantage of the tragedy following the earthquake in Haiti and peppered inboxes with appeals for donations — donations to bogus charities. A few common topics:
    • The Bank: The bank ostensibly requests you to verify account information (Note: Your bank will not — I repeat, will not — request you to update your account or send data via e-mail or request you to “click “on links.) Have a need to engage your bank online? Directly enter their URL in your browser.
    • The Opportunity: “You’ve won the lottery;” “Help me process remittances from your country;” “Work from home and earn thousands;” and the latest to hit my inbox, “Be a mystery shopper!” Just hit delete, no need to open.
  • Spear-phishing: Spear phishing occurs when the perpetrator personalizes the effort. In “Secrets Stolen, Fortunes Lost, ¹” a book I co-authored with Richard Powers, we tell the story of “The Tale of the Targeted Trojan,” where specific individuals and companies were targeted for their intellectual property, personnel files, go-to-market plans, etc. In this specific instance, we saw the confluence of physical surveillance with technological know-how. Regardless, spear-phishing occurs when the perpetrator is able to create a one-off deliver of a message in a manner with a high probability of the victim taking the desired action — visiting a website, responding to the e-mail, or opening an attachment. Like the physical world of spear-fishing, the virtual world has evolved to include spear-phishing, where one specific fish is targeted.
  • Whaling: The bulk, but personalized, targeting of senior corporate executives. Who can forget the infamous e-mail sent to CEO’s around the country that advised the recipient that the U.S. District Court wished to issue them a subpoena and directed the executive to the “court website” to download the document? [see box] Over 1800 recipients responded, even though there were a number of obvious spelling errors, which should have piqued the interest and perhaps raised a yellow flag. For those who visited the website, there was no subpoenas, simply malware.
  • Destruction of E-mail: Is the online destruction of mail easier or harder than that of physical paper? Technically, you can hit the delete key and the “e-mail” leaves your inbox, so that’s pretty easy. Similarly, when you read, write, copy or save documents, photos, diagrams or media, the bits occupy storage space on a storage media, disc, server or hard drive. Logical destruction is straightforward, hit the delete key. This is satisfactory as long as you maintain control of your device or storage medium. If you have occasion to discard your storage device, I have only one piece of advice — degauss or physically destroy the electronic media prior to disposal. As in the physical world, why give someone who comes across your media the opportunity to obtain your data for their use?

Physical mail or electronic mail, you can help protect yourself and your data by understanding how you process and dispose of your data. The unscrupulous will monetize your data at any opportunity. Don’t give them that opportunity.

Thank you for your time.


¹Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century By Christopher Burgess and Richard Power ISBN: 978-1-59749-255-3 Copyright 2008

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Great article Christopher. As usual. I always learn something new when I read your work or speak with you. This time, Spear Phishing. And I just opened my shredder bin to be sure that the waste is actually cross cut!! Dont need dumpster divers gluing strips of paper together.Larry