An effective cybersecurity strategy is a team effort. If a company’s employees do not understand what to look for when it comes to cyber threats, then that company is at risk.
Getting everyone on the same page from a security standpoint can seem like a daunting task, but even small efforts can yield big results. A great place to begin is with email security. Here are 5 simple things you and your fellow employees can do to identify and avoid phishing attacks and other email scams.
1. Check the Sender
The first safety precaution you should take with an email is to ensure that it is coming from the person you expect. Just because an email’s display name or the “from” field may be someone you recognize does not mean that the email is actually coming from them!
Want to find out where an email is really from? Check the From:, Mail to:, or Reply to: fields. If you are using a web or mobile app such as Gmail, you can click the “view details” link at the top of the email to confirm. If the email display name states that it is coming from one place, but the “Reply to:” or other field shows otherwise, you should be questioning the authenticity of that email.
2. Validate Before Clicking
In many cases, cyber threats come disguised as standard hyperlinks. Clickable pictures, buttons, words, or even what may look like a valid link to a website URL can all be used to trick an email recipient into clicking on harmful material.
The easiest way to validate a link is to hover over it with your cursor. When you do so, the actual address that the link will take you to will show up either right next to the link itself or at the bottom of the web browser. Make sure that whatever you are about to click on is taking you to the expected domain and not an IP address or URL that you do not recognize.
3. Use Caution When Opening Attachments
My own rule of thumb when dealing with email attachments is to ask myself “Was I expecting this file?” If the answer to that question is “No”, I disregard that file and move along.
In cases where I am unsure, I confirm with the sender by drafting a brand new email to them before opening any attachments. Do not just “reply” to the questionable email you were sent, since if it is a hacking attempt, you will likely just be communicating with your would-be attacked!
If a legitimate contact confirms that they did, indeed, send you the attachment in question, you can then open it. If they tell you that they did not send that email, you should know it is a threat and report the issue to your IT department.
On a related note, if you are expecting an attachment from someone, make sure you know what kind of file you are opening and avoid harmful file extensions. Some examples of these are files that end with .VBS, .EXE, .COM, and .MSI.
4. Be on the Lookout for Oddities
Hackers will often send phishing email with misspellings, weird spacing, choppy language, oddly worded salutations, or closings. When you read one of these emails, they often just feel wrong. Trust your gut on these. If an email seems odd, it's very likely you're looking at a phishing attempt.
If you do receive an email that seems odd, but it looks like it came from someone you know, you should confirm with them by phone or by drafting a new email to them.
5. Realize That Some Things Just Won’t Happen Through Email
One of the best tools anyone has in avoiding email scams is understanding that some interactions will never happen through an email. For example, banks are not going to arbitrarily contact you via email to confirm account information. You will not be contacted by accounts to change passwords with an email out of the blue. A Saudi prince is not going to notify you of an inheritance that he has for you, but just needs you to wire money so he needs your bank account information.
If you see any of these emails and you are concerned that the request may be valid, contact the company or navigate directly to the website or app outside of email to make these account changes. If you receive an email stating that an account of yours has been compromised and you need to change a password, do not click the “Change Password” link in the email itself. Go to the website, login into your account normally, and see if there are any alert messages. Lastly, you can disregard the email from the Saudi Prince. Sorry, but there is no inheritance with your name on it!
These tips are just a few basic ones to help identify some of the most common attacks. They are admittedly just the tip of the cybersecurity iceberg, but security processes succeed by not only protecting yourself from the big, complex threats, but also from simple attacks like these.
If you’d like to learn more about how to protect yourself, as well as your coworkers or employees, Envision can help with a range of security posture offerings. Contact us today and let’s talk about about what makes sense for your organization.
Explore our cybersecurity services to find out how you can further protect your organization and its people.