How to Protect Grandma’s inbox with Canarytokens

RJ Russell

4 Feb 2021
2 min read

Share this post

Canarytokens are a great way to help loved ones detect if their email has been compromised.

Canarytokens is a simple and free “tripwire” service you can use to detect if some unauthorized person secretly is accessing your inbox or is remotely poking around your computer.

How Canarytokens Work

On the Canarytokens website, you generate custom “tokens” that will send you an email alert whenever they are accessed. The simplest token is just a tiny, invisible image file.

Place a link to the image in a tempting place for an intruder – like a mock email you send to yourself titled “credit card and bank account numbers – emergency backup.” For bait, add some made up credit card and bank account numbers, and now you’ve set the trap!

If anyone views that email and accidentally load that invisible image, you’ll immediately be alerted so that you can take action (e.g., changing passwords).

The best news of all? Your dear old Nana doesn’t need to understand how any of this works. You can set it up for her and ask her to just leave the email, unopened, in her inbox.

The only danger is that she’ll embarrass you by bragging to all her friends about how smart you are!

It’s a simple two-step process

Go to https://canarytokens.org/ , select “Web bug / URL token”, enter the email address where you want the alerts to go, and a reminder note about where you’re planning to deploy this token (this will be included in the alert emails).

The Canarytoken looks like this:

To imbed the token, all you need to do is insert an HTML <img src=”…” /> tag into your email. The “…” will be the custom url you just generated the Canarytokens website. For example:

<img src="https://canarytokens.com/feedback/images/u4up5ok/post.jsp" />

As a test, send the email to yourself and then view it like normal. If everything is set up properly, you should get an alert email in a few seconds saying that your Canarytoken image was viewed.

For best results, use a different account to receive the alert emails, like a work or spouse’s account, so the bad guys don’t know they’ve been detected!

Beyond simple image files, they have other clever tokens that are easy to use, like one for Windows that will tell you if someone opens a folder. See what other creative applications you can come up with to protect your family.

Your Nonna will be SO PROUD of you!

Want to get great cybersecurity content delivered to your inbox? Sign up for our monthly newsletter, Tales from the Click! https://fractionalciso.com/newsletter/

RJ Russell, CISSP

VP & vCISO Principal | Fractional CISO

As a Virtual CISO, RJ helps clients understand and manage their cybersecurity risk. He has previously worked in financial services managing the security and infrastructure of State Street’s CRD investment management SaaS platform. He also has more than 20 years of experience supporting enterprise production environments across several industries. RJ received his Bachelor of Science in Mechanical Engineering degree from Purdue University. He also is a Certified Information Systems Security Professional (CISSP).