The reason 9 in 10 cyber attacks begin with email, according to Mimecast, is its straightforwardness and ability to exploit human behavior. As Scott Crawford, Information Security Research Director at 451 Research, noted, an email is “one of the most direct paths to entry into the enterprise, and it relies heavily (and all too often, successfully) on human behavior to assure initial penetration.”
The ultimate barrier email has to overcome is suspicion. The more carefully the email is crafted to look legitimate, the higher its chances of deceiving the recipient. Before opening any unusual (and even usual) email, ask yourself the following questions:
Am I expecting this email?
The first thing to raise your suspicions should be an unwanted or unexpected email. The most basic phishing emails are filled with grammatical mistakes and don’t include any personalization. They’re easy to spot. What if the email is well written and includes your name in the heading, but it’s supposedly sent from someone you barely know or don’t know at all and its content doesn’t sound right? In either case, think twice before going any further.
Is it about a legitimate request?
The aim of any phishing email is to push you to perform a specific action. Depending on the type of phishing email, you might be asked to:
- Click a malicious link and/or open an attached document – this is very common for phishing and spear-phishing emails, which are meant to reach a narrow audience (in this case, your organization), with the aim of spreading malware through the network or redirect you to a spoofed website where your login details will be stolen.
- Wire money or provide sensible information – this is common for whaling emails, which look like they’ve been sent from C-level executives at your company, and ask, or rather order, you to quickly wire money, or send back login credentials or information. Remember that no one should ask for your personal login credentials, not even your boss.
Should I call back for confirmation?
Listen to your intuition. If you think something is odd and it arouses your suspicion, always ask for confirmation. Don’t reply to the message, because you can’t be 100% sure the sender is who they say they are. The most secure way is to pick up the phone and make a call.
Raise cybersecurity awareness
Phishing attacks take advantage of untrained and unaware employees: it takes a single click on a malicious link to jeopardise your entire network. We know that training your entire workforce can be costly and time consuming, but have you ever tried e-learning courses? They don’t need your staff to be simultaneously and physically present in the office – they can do it from the comfort of their home at any time. All they need is an Internet connection. The Phishing Staff Awareness e-learning course is a good option for raising staff awareness of phishing attacks – they will learn dozens of useful tips about how to recognize a phishing email.