Can You Use a Touchstone to Determine Email Legitimacy?

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~ Ashton Engineer Emeritus

If you have some jewelry and you want to know how pure the gold is, how do you do it? There are several methods out there, among them is taking it to a jeweler and asking him. Perhaps one of the oldest methods is the touchstone. From Wikipedia “Drawing a line with gold on a touchstone will leave a visible trace. Because different alloys of gold have different colours (see gold) the unknown sample can be compared to samples of known purity. This method has been used since ancient times. In modern times, additional tests can be done. The trace will react in different ways to specific concentrations of nitric acid or aqua regia, thereby identifying the quality of the gold. Thus, 24 carat gold is not affected but 14 carat gold will show chemical activity.”

Needing to determine the purity of gold is probably not something you have to do regularly. On the other hand, testing the validity of a link in an email is something you probably need to do multiple times per day. The touchstone method of purity determination involved the unknown sample, a touchstone (possibly jasper or basalt), acid, and some samples of known quality.

When dealing with email, samples of unknown quality are abundant. Your mouse (or long-press on a phone) takes the place of the acid. The touchstone is made up of common sense, attention to detail, and knowing your business. The samples of known quality may be historical emails or a phone call (we will get to that in a bit).

When testing gold with a touchstone you made a mark on the stone with a sample with a known purity, perhaps several known samples. Then you made a mark with the unknown sample. Applying acid to the stone would remove samples below a given purity (depending on whether you used nitric acid or aqua regia). You could then see how the acid affected the mark from the unknown sample and decide on the purity.

Let’s see how we apply this to a link in an email. (DON’T CLICK ON LINKS)

SAMPLE 1:

https://www.microsoft.com/ Is this a good link? To the naked eye, it looks nice and shiny.  Let’s apply a little ‘acid’ to it and see how ‘pure’ it is. First question, Where are we actually going? Hover your mouse over the link and what do you get? https://www.microsoft.com.co.  Is that good? It looks strange but as it happens, this will take you to a Microsoft website, albeit in Spanish. So it is not a disaster, but probably not what you might be expecting.

SAMPLE 2:

https://www.dropbox.com/ So if you were paying attention, you should have hovered your mouse over this one. https://www.dropbux.com.ru  If that was a working link, clicking on it would be a bad idea. If you get an email with a link to a .RU website and you don’t do business in Russia, chances are good the link will do nothing good for you.

SAMPLE 3:

This one is harder. You can’t hover your mouse over this QR code. So instead of our mouse ‘acid’ let’s apply a different ‘acid’. Why would someone send you a QR code? Is this common practice in emails or texts from the sender? Do you know the sender? If the sender is supposedly Aunt Sally, does she know how to make a QR code, let alone have a reason to send one to you?

Some other components to your ‘acid’ kit:

• Do I know the sender?
• Should I be getting this email? (If you work in Accounts Payable and this is a Receivables issue, why did you get it? If it is about a warranty issue on a Honda van and you don’t own one, why are you getting the email/text?)
• Is this a reasonable email? (The sender is asking you to send money overseas to a company you never heard of. You are being threatened with disconnection if you don’t respond in the next 2 hours. You get a text from the IRS.)
• Is this how the sender is supposed to communicate? (The sender wants a transaction done that requires a notarized document but none is attached to the email and attachments are not acceptable anyway)
• Don’t assume because it looks like it is from someone you know, it is ok. If you have any questions about the email/attachment, call and ask.

With work from home becoming the new ‘normal’, we all will be dealing with scammers on the home front and business front, possibly on the same computer. We all need to be more proficient in testing the purity of the email/texts/phone calls that we handle on a daily basis.  If you’re not sure how to handle suspicious emails, or would like to train your entire team on what to look for and what to avoid, call Ashton Technology Solutions at 216 455-9999.