You are not safe from email attacks just because you work for a small business. Since most businesses are of the small to medium size, and since email attacks are so easy to implement, criminals are focusing more of their time on you.
If you are a client, you have HDF & Associates implementing security solutions and monitoring your systems, but every solution is but one layer of your total protection. The final layer is… you. You are responsible to your employer to do all that you can to protect your data and keep the criminals at bay.
Great Poster of red flags to watch out for
Please follow this link, and the precautions on the poster!
Consumer Reports: How to Protect yourself from phishing
Some easy steps to follow to protect yourself.
The history of Phishing and how it works
What is “Phishing”, how did it come about, and how does a criminal do it?
Spear Phishing (Customized Attacks)… This time its personal!
An InfoLine article on customized Spear Phishing
So, what can you do to help protect yourself from malicious emails?
Print out this great poster of email red flags to watch out for! (and tape it up)
Be Skeptical! It is better to err on the side of caution. Are you 100 percent sure that a particular message is legitimate? If not, then you should assume that it isn’t.
POTENTIAL RED FLAGS
It claims to be from a vendor my company does business with, but it is new to me
If we engage a new vendor, or something changes with our current vendors that require them to reach out to you, we will let you know beforehand. If you receive ANYTHING new or unique that claims to be from one of your normal vendors, then forward it to us to review. (i.e. “Your email account is full”, “Your mail is bouncing back”, “Your voicemail account has been closed”, “Your dropbox account needs to be authorized”, etc.)
It clams to come from your boss and he wants you to purchase a money order and mail it to her
Spam emails can be made to look like they came from an internal email address, or even your own. Don’t rely entirely on the return email address. For more information about this type of Spear Phishing attack, see the InfoLine Article.
It contains typos and misspellings
Often, English is not the primary language of these criminals.
You have not communicated with this email address before
Always be wary of these!
The gist of the message pertains to an account or personal information (i.e. you need to confirm, provide, restore it)
Would the information it is soliciting benefit a criminal? BIG red flag.
The email is not personalized. It may be addressed to “Dear Sir/Madam”. Or it may address you by name, or email address, but there is nothing else in the message that proves the sender knows you or someone in your organization
You name and/or email address are easy to find on the Internet, and they can easily be added to a mass mailing list. Real emails typically have the sender’s personalized signature (which you are familiar with), speak about projects you are working on, address things about you that are not public knowledge, etc.
There are several cc’d addresses, and I don’t recognize them
This may mean that the criminal just added your name and/or email to a list with many others.
The email was sent during off hours (i.e. 3am)
Unless your colleague is pulling an all-nighter, this email may be coming from another part of the world.
There is an attachment that you were not expecting
Attachments can be especially dangerous because they can contain malware. Lately, though, more malicious emails contain a link to the malware instead because email filtering systems are getting better about removing malicious attachments.
It looks like a reply to an email you didn’t send
This is a common way to get your attention. “Hmmm, I don’t remember sending that email. Let’s click on it and see what it’s about.” BIG red flag.
You just feel suspicious about it
If you can’t put your finger on it, but something about the email is suspicious… go with your gut feeling.
Things you can do if you are not sure about an email:
Call the sender on the phone.
Old school is still safer.
If the email prompts you to log into an account (and you have an account with the purported company):
First of all, this is a major red flag. Very few reputable companies will send an email with a link prompting you to log in. But if you want to be sure, then:
1) Close your email client (i.e Outlook)
2) Close ALL of your browser windows (Chrome, IE, Firefox, etc.)
3) Open a new browser
4) Type in the company’s URL manually
5) Confirm that the connection to the site is secure
This will assure that you are connecting to the real site, and that you have not been redirected.
But, all of this takes so much more time than just clicking on the link in the email
Yes. Yes, it does. But the security of your company’s data and your own personal identity are worth it.
But I have Antivirus on my computer. Won’t that protect me when I click the link in the email?
Hopefully. But by clicking the link, you are authorizing the resulting action. The protections we have in place for you may or may not be able to block actions you are specifically authorizing.
Don’t click on links or open attachments if you are suspicious. If you think it may be a legitimate email, but aren’t sure, then forward the email to us at firstname.lastname@example.org with a subject line similar to: “I’m suspicious of this email”.
If you have questions about this, please let us know and we will be happy to assist you.