IT Update: Email Security Awareness

By Dan Spruill, Director of IT

You’ve probably been the recipient of suspicious emails at some point. In most cases, those emails represented harmful applications or intentions, loosely represented as a business related email. These types of messages are classified as “phishing” emails, where someone is trying to get access to your information by making the email seem like it is legitimate and hopes you make the easy mistake of opening it.

Malicious emails of this type contribute to roughly 77.3% of network/data breaches, primarily by including harmful attachments or links expecting the receiver to want to view the information. The senders are capitalizing on the fact that 95% of all security incidents involve human error, per the findings in IBM’s report entitled 2014 Cyber Security Intelligence Index.

Given these facts, here are some quick tips from ReturnPath.com* that will help minimize our risk as we review email – both personally and at work:

Don’t trust the display name

If a phisher wanted to impersonate a sender from Bank of America, the email header may look something like:

To: John Smith <john.smith@ruppertlandscape.com>
From: Bank of America <accounts@secure.com>
Subject: Unauthorized login attempt

Since Bank of America doesn’t own the domain “secure.com,” you can assume this is fraud. Check the email address in the header—if it looks suspicious, don’t open the email.

Check for spelling mistakes

Legitimate messages usually do not have major spelling mistakes or poor grammar.

Analyze the salutation

Emails addressed to a vague “Valued Customer” should raise suspicion.

Don’t give up personal information

Banks and most other companies will never ask for personal credentials via email. Don’t give them up. To verify if it’s truly your bank who has contacted you, call the number on the back of your bank card/credit card etc. and explain what you received via email to verify authenticity.

Beware of urgent or threatening language in the subject line

Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”

Review the signature

Lack of details about the signer or how you can contact a company can be symptomatic of a phishing attempt. Most businesses provide contact details.

Look but don’t click

If the email seems suspicious in any way, do not click on any links embedded in the body of the email or open any attachments. Attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

If an email looks even remotely suspicious, don’t open it! If you are not sure about an email, send it to your company’s IT department—they can open it for you, and if they cannot tell right away if the email is valid or not, they may be able to open it in a secure environment with no risk of impacting your network.

Don’t believe everything you see—phishers are extremely good at what they do. Just because an email has convincing brand logos, language, and a seemingly valid email address, does not mean that it’s legitimate. The bottom line is: be skeptical when it comes to your email messages.

*Tips paraphrased from ReturnPath.com blog post, “10 Tips on How to Identify a Phishing or Spoofing Email,” posted by Estelle Derout on December 15, 2015.