Email security advice – avoiding a phishing mail
With many high-profile breaches making the headlines in recent months, organizations need to make their staff aware of how to avoid falling victim to often very simple phishing attacks that introduce malware and ransomware to organizations.
User awareness is key to the prevention of security incidents such as malware and ransomware attacks. Technical controls and solutions alone cannot mitigate against every type of attack if staff are not adequately trained to avoid letting malicious software through.
What is ransomware?
Ransomware is a type of malicious software (malware) which attempts to extort money from victims, typically by displaying an alert stating that the computer has been locked and that all files have been encrypted.
A ransom is demanded to restore access – hence the moniker “Ransomware.”
What is phishing?
The practice of using social engineering to coerce an unsuspecting employee of clicking on a malicious link or unwittingly parting with valuable information. Often an attachment contains a dropper malware which, once opened, downloads various types of malware – including ransomware - into the infected machine.
Spotting malicious emails - security tips
Below is some advice on spotting potentially malicious emails and links. Feel free to share these tips with your staff members to help raise internal awareness:
- Is the email from a trusted source?
Review the “From” address - attackers often impersonate or “spoof” staff by using incorrect spelling of names or domains you may be familiar with or in contact with e.g. “@y0ur0rg.com”
- Review the subject of the mail
Attackers often try to include valid email information in the subject to trick the user into believing the email is legitimate. If it doesn’t seem legitimate, better report it to your IT dept.
- Review the spelling and content of the mail
Attack emails often contain poor spelling and grammar. This is a tell-tale sign that email has come from a malicious source.
- Ask “Is this mail relevant to my job role and responsibilities?”
Is the nature of the email related to your job function?
- Does a mail refer to an action you did not take?
Typically attackers will draft these mails as responses to “requests” you may have made. Is there a mail trail of you requesting this information or file? Or is the email a once off?
- Be vigilant of attachments
Attackers will often include a malicious file as an attachment to a phishing mail.
DO NOT open or interact with any attachments in strange or suspicious emails. Verify that:
- the sender is legitimate
- the content of the mail includes a legitimate mail history
- the attached file is one you have requested
- the attachment is in the correct format (e.g. is this report an xls instead of the usual PDF?)
- Be vigilant of links
Attackers will also try to include links to malicious content or websites. DO NOT click on any links that you do not trust or are not familiar with.
- Don't forget hyperlinks
Attackers may use URL hyperlinks in the body of an email (e.g. “Click Here”).
Typically, hovering your mouse cursor over these hyperlinks will disclose the real destination of the link. Right-clicking and copy and pasting this into a word processor can also be performed to review the link.
Fostering a culture of security awareness
An organization can have all the defences in the world, but staff who are unaware of security vulnerabilities can undo this work and investment with the click of a mouse.
Users should be trained about threats associated with web browsing, following web links in emails, successful identification of phishing attempts, etc. Staff should also be made aware of the warning signs of ransomware or other malware and be aware of the procedure to follow if they suspect an infection.
In addition, IT Support staff should have a clear understanding and procedure for dealing with any outbreak. A strong, calculated Incident Response plan is vital.
The strongest defence is constant and effective Security Awareness Training. Staff who are trained and aware of how to spot the tell-tale signs of a phishing attack are much less likely to be victims and much less likely to inadvertently introduce malware into an organization.
Creating a culture of security awareness in an organization, takes time and investment but can often be the most effective defensive tool.