When you see an e-mail from an old friend who you haven’t spoken with in a bit – what do you do?
Do you trust the e-mail – because you recognize their name? Or do you trust but verify the details before taking actions like clicking links/attachments etc?
If you are a “Truster” — you might be setting yourself up to get spear-phished. Spear-phishing is where a hacker pretends to be a friend, a colleague or a known brand to get you to open an e-mail and take an action. The Action might be to click a link, open an attachment OR send out a Wire Transfer.
“These attacks are real. The FBI estimates that in the last 2 years 7,000 companies have lost more than 750 Million because of e-mail related issues! Interestingly most of these companies have spam and virus filtering that fails to protect them.”
So “Truster” or “Verifier” what can you do? Here are ten tips for not getting spear-phished:
Watch the e-mail subject and tone:
1. Be extra careful with any e-mails that try to cause a sense of urgency or fear. E-mails focused on financial transactions or those where you urgently need to so something are designed to get you to take action without thinking.
2. Be careful of communication you weren’t expecting. For example, you know if you placed that order on Amazon — so assume that an unexpected Amazon e-mail is a phishing message.
3. Be extra careful around e-mail concerning financial transactions. Don’t click the links or open the attachments. Go right to the financial institutions website to interact with them.
Look at the e-mail senders information carefully:
4. Watch for misspelt names and unusual e-mail addresses. For instance, if your friend normally e-mails you from email@example.com but today the email is coming from firstname.lastname@example.org – be much more careful before taking an action.
5. Always distrust e-mail from people you don’t know. For example, if your Manager’s Manager doesn’t know you and never talks to you — but today you are getting an e-mail from her asking you to do something – check it carefully.
6. Look for changed patterns of behavior. For example, if your wife always e-mail your @gmail.com address but today her e-mail is coming to your work address it is a change in her behavior. These don’t happen regularly and may indicate something phishy!
Examine all the links:
7. Hackers use a combination of good and bad links in each e-mail. Hover on any link you will click to check it out before you click it.
8. Be careful with shortened links such as tiny.url or numeric links. For example if you get a link to http://www.amazon.com in an email but when you hover on it is shows http://tiny.url/amazon or http://188.8.131.52/cgi-bin/index.pl don’t click the link. Instead open a browser and type in www.amazon.com — which is the address the link is trying to take you to.
9. Don’t open any attachments that are for executable files. Attachments can result in a hacker holding your computers hostage by encrypting all its data with cryptolocker or worse installing a keylogger that gives them full visibility into all your usernames and passwords. If you are running Anti-Virus make sure it is set to auto-update daily, and to scan everything that runs. Also make sure to turn automatic OS updates.
10. Don’t trust Microsoft Office or PDF type attachments. These attachments can contain malicious code that executes and causes similar issues to executable type files. I recommend that you turn Macro’s off on Microsoft Office apps and set both Microsoft Office and Adobe Acrobat to auto-update.
So regardless of whether you are a “Truster” or a “Verifier“, I hope that these ten tips help you not get phished!
Downloadable Guide and Interactive Simulation
All of these tips are available as a downloadable 1 page guide on our Can you Spot the Impostor web-based spear-phishing simulation site. The simulation is a free and easy 2-3 minute way to see first-hand examples of how hackers might try to spear-phish you. We created this game-like simulation and launched it this month to highlight the problem of spear-phishing and educate e-mail users. Of all the people who have tried the simulation we see that only 1 of every 7 people is able to spot all the e-mails correctly.
Gagan Prakash is the Founder, CEO of Astra IDentity, Inc. Astra IDentity’s product PhishingGuardian integrates with existing organization messaging infrastructure to provide protection, tools, alerts and in-line training for phishing and social engineering attacks carried out via e-mail. Request a demo today.