By André Mouradian, Senior Manager – EMEA, Wombat Security
The last few years have seen a marked increase in the number of widely publicised phishing attacks. Campaigns targeting high profile bodies, combined with the widespread outbreak of WannaCry, have highlighted the growing threat of cybercrime and underlined its devastating impact. Most recently, claims of a Russian spear–phishing campaign targeting US government agencies involved in the country’s latest presidential elections have raised concern over how easily cybercriminals can target consumers, businesses, and government organisations with phishing emails.
The success of all phishing and email based ransomware attacks relies on one thing – human error. Cybercriminals have learned to exploit this weakness by using multiple social engineering techniques to manipulate human emotions and trigger a response.
It can feel overwhelming to maintain constant vigilance against cyber-crime but below you can find what I think are the three top tips that you can use to identify and avoid malicious emails.
#1 Skimming is good for milk… less so for emails
We receive so many emails, that we’ve conditioned ourselves to skim messages. This is a risk as there can be clues within a message that will alert us to potential scams.
- “From” addresses, URLs, and embedded links can masquerade as things they aren’t. Do not take these items at face value (even if a name, logo, or other identifier seems legitimate). On your PC, hover over these pieces of content and examine the info that appears (you will often see the true destination of a web address in the bottom left of your browser window). On mobile devices, use a “long click” and review the information in the pop-up window. If there appears to be a mismatch between what you expected to see and what is actually presented, steer clear.
- You may get a message that doesn’t seem to be quite right. The tone of an email from a colleague, friend, or relative might just not “sound like” them. Or you might receive an invoice or shipping notification that doesn’t make sense based on your ordering history – never just glaze over details.
- Misspellings and poor grammar can be indicators that the email didn’t originate from a trusted source. This is particularly true with messages that appear to be from a well-known, well-established individual or organisation.
Be particularly wary of any email that seems like it’s designed to trigger your emotions and urges you to respond.
#2 Your emails are like food – you need time to digest them
After you read an email, take a moment to digest it. If the email requests a response which could compromise sensitive data, devices, or systems, consider asking the following questions:
- Was I expecting this message? – If the answer is ‘no,’ ask more questions.
- Does this email make sense? – If the tone doesn’t seem right or the information you’re being provided with doesn’t make sense, it could very well be a phish.
- Am I being pushed to act hastily? – If you are, this is a major red flag.
- Does this seem too good to be true? – If you can’t believe what you’re reading, it’s likely you’re reading a phish.
- What if this is a phishing email? – Could you be downloading malware that would corrupt all your files? Could you be turning over a password or credit card number to a criminal? Could you be exposing your co-workers’ private information to a scammer?
#3 Stop, look, and listen… to yourself
A message can look and sound legitimate but still set off warning bells. For example, an email sent from a corporate IT address telling you to download new security software may seem trustworthy, but would your IT department normally follow this process?
If you’re not 100% confident, take extra steps to verify that you are dealing with a legitimate request before you click a link, download a file, or reply with sensitive data. Here are some easy ways to confirm that an email is legitimate:
- Instead of clicking on a link, open your web browser and type in a known, trusted URL and navigate to the site yourself.
- Instead of replying to an email or calling a number included in the message, do your own fact-finding. Use an email address or phone number that you are able to confirm.
- If you’ve received a questionable message from a colleague or friend, contact them via another channel and make sure they sent it.
- Reach out to your IT team for advice.
It takes just a minute to confirm a questionable message. In contrast, it can take days or weeks to remedy the consequences of interacting with a phishing email and sometimes the damage is irreversible.