This guide isn’t just for the IT department, the Accounts department or the business directors, it is for everyone.
A Guide to Email Scam Awareness and Prevention
When you think of email scams what do you imagine? If it is a badly worded plea from a billionaire prince overseas or a 99% off once in a lifetime offer, then you are part way there. But what about that email with the invoice attached, that looks genuine right? Or the email from your boss asking for some banking details or a password. This is the real email threat; the one you don’t notice until it’s too late. This isn’t the work of some advanced hacker targeting a high-profile organisation, it’s the new face of spam, sent in their thousands, constantly adapting, becoming more and more deceitful every day. Spam email is getting smarter at using Social Engineering techniques to manipulate people into taking actions that expose confidential information.
Email is undoubtedly the most widely used communication tool for businesses, it has been for years and that is likely to continue for a good time to come. Unfortunately, this makes it one of the most attractive ways for attackers to compromise you and your business; even if you are always vigilant, it only takes one unsuspecting member of staff and one email to bring everything to a complete stop.
I Don’t Need To Worry
It almost goes without saying these days, everyone should have anti-virus. It is the best general defence against anything trying to run on your computer and is a vital component in protecting against threats. But without looking, when did your anti-virus program last update? When did it last run a virus scan? Did it detect anything?
Even in a small office, maintaining antivirus products can be time consuming which is why it falls to the IT department to ensure everything is kept in order. Luckily, managed anti-virus solutions empower your IT department in their ability to centrally monitor all the computers in your business keeping them all up to date, ensuring they are scanning regularly and dealing with anything that gets detected.
So no need to panic right? Well, just as we take anti-virus for granted, attackers know all too well that their targets are protecting themselves, yet they still try and they are still able to succeed. By continually reinventing the virus, attackers are able to bypass detection briefly before anti-virus providers are able to react.
Whether you know it or not, some degree of spam filtering will be happening to the emails that land in your inbox. Email software like Microsoft Outlook has the basics built in for junk mail and it does a valiant job of catching blatant spam email, but that’s about it. With the fast paced world of computer security, ‘basic’ filtering will always be on the back-foot when it comes to detecting harmful email, it simply isn’t adequate.
For this reason, most businesses will invest in a dedicated service for email filtering to protect their users from falling prey to more advanced methods. If you don’t have something like this in place, you should absolutely invest. A solution such as Mailminder can stop harmful emails before they even reach your network and seriously reduce the load on your mail servers. But despite all the benefits, in the same way as Anti-Virus, these methods for filtering emails are reactions to an ever evolving threat.
These solutions learn from experience. Every product out there relies on past knowledge of the techniques, the known senders and the tell-tail signs of malicious code in order to detect harmful emails. It is therefore inevitable that when a brand new threat appears, there is a window of opportunity for the attackers to take advantage of the complacency that sets in when you assume you are fully protected.
For this reason, you should treat Anti-virus and Spam Filtering like the seatbelts and airbags in your car; they can save your life but you should still be vigilant when you drive and always stop at a red light.
Don’t Judge a Book by It’s Cover
Ok, so how do we stay vigilant; what should we be looking for? Treat every email as suspicious until proven otherwise and check the basics first. It might seem like a lot of effort but these checks are quick and they will become second nature.
This is the most important and most often overlooked factor; do you know the person who sent the email? If you don’t know the person, do you recognise the company and is it one that your company deals with on a regular basis – if not, be very cautious about anything the email is asking you to do and do not trust the sender’s intentions. Why would a company you have never dealt with be sending you an invoice or a delivery notice?
If you recognise the address, look again.
There are typically two parts to the From Address of an email; the Display Name and the Email Address. If these don’t match up theres a very good chance that the email isnt coming from where it says it is. The account manager at your bank wouldn’t be emailing you from a gmail.com email address.
Even if everything looks ok, you should never take the From Address as proof of where the email has come from. Advanced techniques of disguising the sender can be extremely convincing, even appearing to have come from someone within your own company when actually, the email was sent by an attacker operating from a completely separate geographical location. If the email did come from the sender suggested, they could have a virus without knowing it themselves and their computer could be sending out emails on their behalf.
This is often the biggest giveaway for spam and scam emails. If you know the person sending the email, generally, you will know how they communicate. Do they normally start their emails with ‘Dear’? Do they use your full name or refer to you as ‘Valued Customer’?
You should never be asked to send sensitive information over email; if they are requesting bank details, usernames, passwords, security questions or anything you wouldn’t feel comfortable sharing with a stranger you should assume that they are not genuine
If something doesn’t sound right, contact them and check before you do anything else. If you have a number for them, a phone call will ensure you’re talking to the real person but don’t use the number in their email signature, it could be part of the scam. Same goes for their email address; create a new email and never reply to the suspect one.
Attackers use emails to get their foot in the door, usually the harmful stuff happens after you act on that email. This is why you cannot implicitly rely on spam filters; the email itself might be completely safe but the instructions within it may lead you to a vulnerability elsewhere.
Emails that include a link to a website could be tricking you in to going to a site that attempts to spoof a real website, like mimicking your bank’s login page to coerce you into typing in your login information and unknowingly sending it directly to the attacker. Some sites host malware that use weaknesses in your internet browser to download and install hidden software that can watch what you type or even hijack your email and start sending spam to your contacts. Needless to say, you should always know where a link will take you before you click on it.
Hover your mouse over the link but do not click on it. You should see the real address appear in a small box above your mouse pointer. Does it match up? If not, the sender is trying to trick you; don’t click that link.
Attachments do the same as a link but instead of your web browser, they aim to take advantage of vulnerabilities in the programs you use to open files. The invoice analogy is a good one because it has become extremely popular amongst attackers and hard to detect, especially if you deal with accounts and see invoices on a regular basis. Most email software blocks executable files (EXE) but they allow standard document formats (PDF, DOC, DOCX, XLS) which can still pose a threat.
If you are ever instructed to ‘enable macros’ or change any settings in your software in order to view the document, treat this as a huge red flag; often this will be the last chance you have to prevent the attacker.
Simply put – if you are not expecting an attachment, don’t open it.
Delete it. If it has been sent to multiple people in the company, ensure that they all delete it too. Don’t be tempted to click on any link within the email and certainly never reply to the sender. Doing either of these things will, at the very least, inform the true sender that you exist, that the email made it to you and that you interacted with the email in some way. Once an attacker knows this, you become a prime target and the amount of spam email headed your way could increase exponentially.
An Ounce of Prevention
As discussed above, there will be measures in place to mitigate your exposure to spam and scam emails. Anti-Virus and Anti-Spam are a must-have for any business but the greatest prevention is the education of staff. Just knowing the ways in which they could be manipulated by these types of attack will go a long way in improving the vigilance of everyone within the business. This is why the importance of everyone has been emphasised throughout this guide; a single weak link can unpick even the best efforts.
These are the viruses you don’t see; they conceal themselves from the user in order to keep their presence unknown. The goal of malware is generally to look for confidential information on the target machine and send anything it finds back to the attacker. This could include login details for sites you access as well as personally identifying information like names, addresses and Government IDs. Anything that could be used for identity theft and fraudulent activities is at risk for as long as the malware goes undetected.
An extremely effective way of gaining confidential information through the use of emails and websites disguised as genuine organisations with the intention of deceiving the target into either surrendering that information or taking action to install malware that will find such information. A well-co-ordinated phishing scam can be made to look identical to those you would ordinarily trust, such as your bank, mimicking their website so convincingly that you would enter your details without question. From there, an attacker has the ability to transfer large sums of money from your real account in a matter of seconds, long before you realise what has happened.
A relatively new but rapidly growing trend in the way attackers operate. This is a form of virus that does want your attention and is usually very visible when it has infected a target. These types of attack put your company’s data at ransom, encrypting everything it can reach, including documents shared between your staff and business critical files like financial information. Encryption makes them completely unusable and impossible to decrypt without the correct key. The attacker usually demands payment within a short timeframe offering the key to decrypt your data and if refused, your opportunity to recover the data will be gone. The destructive nature of these attacks and the threat of irretrievable data can be a very compelling way to get payment.
It is worth noting that you should never submit to a ransomware attack; you will not only be funding these types of attack but you will also be reinvesting your trust in someone you know to be deceitful. There are no guarantees that they will provide the key after payment and even if they do, there is nothing stopping them from performing the same attack once the data is returned. Instead, be proactive and ensure you are using a solid backup solution for your company just in case.
Security Awareness Training is by far, the best way of ensuring your company and staff are fully prepared for the types of threat described above. It goes beyond simply informing you of the dangers and it covers all forms of social engineering; email being just one of many. This type of training is tailored to the specific attacks that are likely for the industry that your company works within and includes practical applications that can test your staff and continually reinforce the importance of vigilance. Training is also scalable to make it accessible to organizations of any size and is extremely cost effective when compared to the potential loss caused by an attack.
Understandably, the implementation of these prevention methods can be time-consuming and complicated even to a dedicated IT department but that shouldn’t deter you. You can take advantage of a trusted IT Partner who will work with you to implement and support better security within your business.