Here’s an informational document you can provide to your team regarding e-mail safety. Email is by far the easiest way to get access to anyone at your organization, and everyone should be trained and aware of potential security threats.

1 - What is Phishing?

Phishing is a form of fraud by which an attacker attempts to gather personal information or credentials by impersonating a trusted person or company to send victims to a malicious website. A common example might be receiving an email from ‘Your Google Administrator’ asking you to click a link and input your logon credentials. Attackers will generally use real logos and other official looking branding to make the email and malicious site appear legitimate.

2 - It’s Easy to Spoof Email Addresses

Never trust an email based solely on the purported sender. IT departments should take measures to prevent unauthorized external entities from sending email using your organization's domain, but it is still possible for an attacker to make it look as though they are. Common ways of achieving this are to use easy to miss misspellings or alternate domains (person@yourorg.biz or person@yourorg.co.com) or to hide their obviously incorrect email behind a known contact name like From: Your CEO scammer@gmail.com. These directed attacks are generally looking for non-refundable ways of extracting money from the victim, often pretending to be a C-Level executive asking for gift cards or wire transfers. In some cases, these attacks can be as sophisticated as requesting HR employees change direct deposit information.

Every spoofed email will include a link of some sort. While the link text may say ‘Go to Outlook’ the URL underneath will be crafted to redirect the user to the attacker’s malicious website made to look like Outlook Online. Make sure you hover over any link and verify the address before ever clicking on it. When in doubt, manually go to the site by typing the address you’re already familiar with into your browser. Often, phishing emails will contain ‘shortened’ URLs to bypass these checks, so never click on a link from URL shorteners like Bitly unless you know for certain who sent it to you. In addition to in-body links, attackers will often send links in attached documents where the same scrutiny needs to be applied.

4 - Safety Tips

Never click on anything in an email from someone you don’t recognize. No company or governmental agency will reach out via email for personal or financial information. Finance and HR should have policies in place limiting the type of information requested over email. When in doubt, call the requestor for verbal confirmation before responding to any strange requests. If the request seems out of character, it’s probably a scam! Always verbally verify before fulfilling any requests to purchase gift cards or wire money to accounts.

macOS Mail Client

Identifying a spoofed email

  1. Check the From field. Official Company emails will always come from name@yourorg.com
  2. The tone of spoofed email is commonly urgent or mildly threatening, such as Your account has been suspended; or I need you to handle something immediately
  3. Spoofed emails are usually mass mailed, so the greeting is often generic, such as ‘Dear customer’; or ‘Hello’ instead of ‘Hello, Your Name’
  4. Spelling and grammatical errors are often, but not always, present in a spoofed email. Be wary of spacing errors, symbols in the body of the email, or other subtle signs.
  5. Don’t click email links if you can avoid it. Always hover over a link to view where the URL actually leads. Beware any URL shorteners like Bitly or TinyURL.
  6. Attackers will use images from known trusted sites on their malicious pages to appear legitimate. Often these pages are indistinguishable from real logon pages and can easily deceive the unwary.

We Can Help!

If you’re concerned about your communications health or security, our team of experts can help you define policy as well as execute security strategy. Please reach out, we’d love to speak with you!