How They Get You

The three behavioural patterns the criminals will focus on are:

Familiarity: An email from a known sender or brand increases trust in the recipient.
Inattention: The recipient likely receives too many emails on a daily basis to really critically analyze them.
Urgency: Creating a sense of urgency makes recipients act irrationally and without necessary consideration.

If you have a basic email and cyber security awareness, and an understanding that these 3 factors are at play, you will be in a much more secure position.

The Clues to Look For

There are threads that are consistent in how scammers execute their attacks. Being able to Identify these clues in malicious email is the last mile of defense.

Fake Company Standard Email

A tactic often used by criminals involves impersonating a brand and sending fake emails on their behalf. This is to bypass the above rule (“if it’s unsolicited, it’s dangerous”). If you believe you are clicking on an Amazon or Paypal email, you could be “clicking” into a trap.

The criminal will go to every extent to lead you to believe they are legitimate, but there are always clues that they aren’t the real deal. The first clue should be in the sender or reply-to email address. Look for unusual “from” senders and domains. In the body, though it can be relied upon less as scammers perfect their technique, there will be design inconsistencies, such as misused fonts, colors or formatting. In a similar vein, spelling and grammar errors, or even irregular requests should trigger deep skepticism.

Legitimate companies with large email marketing budgets, brand guidelines and proofreaders are very unlikely to send imperfect emails – more unlikely to do so than scammers are to try to imitate them.

Urgent Requests

One of the primary ways that criminals get you to fall for their scams is through the use of urgency. If they can get a target to believe they must act now or a major opportunity or deal will fall through, people do irrational things. Which is why if an email demands urgency, especially if any financial transaction is involved, it is imperative to use fail-safes or multi-factor authentication. Criminals have in some instances even called the target to confirm the transaction details, playing off vulnerabilities and faking social validation. You should establish verification steps in advance that should be fool proof, whether mandating by company policy that all urgent email requests require verification by phone, a second known party who validates the request, or other methods that are more difficult for a criminal to hack.

Emails with Attachments

The threat of malicious attachments needs to be taken very seriously. As previously outlined, downloading and even simply opening a malicious attachment can result in dire consequences if not treated with care. This can include the installation of malicious code, malware, spyware and/or result in socially engineered attacks. When you receive an attachment that you were not expecting, always tread with care.

Usually the email will come from an unknown sender which should be your first clue. This shouldn’t be relied on, as often your colleagues’ or contacts’ emails might be hacked and used to spread these attacks. Criminals often use short body text, referring to a generic “follow up from our meeting”, “quote as requested” or “Invoice attached”. Attachments usually have filenames that you wouldn’t consider professional. Never download an executable (.EXE or .DMG) or zipped (.ZIP, .RAR or similar) file sent via email.

If you weren’t expecting it and it seems suspicious, inform your IT Admin, and also report it to your email security vendor if you have such capability. Generally speaking after what you’ve read here, if you think it appears risky to share with IT or to click on it, delete the email.

Password Resets

Another all-too-common attack is an email requesting a user reset their passwords with a provided link. Clicking on the link could take you to a phishing site that might look like the real website. Completing the password reset using the phishing form would be like giving your credentials directly to the criminals. It won’t actually reset your password of course, it would only harvest your existing one.

If you receive a prompt for reset and did not request it – or it’s not simply a reminder – examine the domain. Is it making an appropriate request, does it seem legitimate? Is the email address or structure the same as a known legitimate email you’ve received in the past? When all else fails, simply google it, and if it doesn’t match up with a known sending domain for the service you’re being prompted by, quarantine the email.

Better Safe Than Sorry

As attacks become increasingly sophisticated, criminals are finding ways to bypass many of the defenses you might have. This is why collaborative security is so important. Most organizations will have an IT person, whether in house or offering services on a contract basis. When there is any doubt, use them as a resource and certainly trust that they are looking after your best interests. It’s part of their job to protect you from risks, email-based and otherwise. As we will see in the next module, being the victim of a cyber security breach can be very harmful to you and your organization.