Email is one of the primary ways we communicate. We not only use it every day for work, but also to stay in touch with friends and family. Since so many people around the world depend on this technology, email has become one of the primary attack methods used by cyber attackers. This attack method is called phishing.
Phishing emails try to fool you into taking an action you should not take, such as clicking on a malicious link, sharing your password, or opening an infected email attachment. Attackers work hard to make these messages convincing and tap your emotional triggers, such as urgency or curiosity. They can even make the emails look like they came from someone or something you know, such as a friend or a trusted company, and may even use familiar logos within the message itself.
In almost all cases, opening and reading an email or message is fine. For a phishing attack to work, the attacker needs to trick you into taking an action, such as clicking on a malicious link. Fortunately, there are clues that a message is an attack. Here are the most common ones:
- A tremendous sense of urgency that demands “immediate action” before something bad happens. The attacker wants to rush you into making a mistake.
- Pressuring you to bypass or ignore your policies or procedures at work.
- A strong sense of curiosity or something that is too good to be true.
- Requesting highly sensitive information, such as your credit card number, password, or any other information that a legitimate sender should already know.
- The message says it comes from an official organization, but it has poor grammar or spelling, or uses a personal email address like @gmail.com.
- The message comes from an official email but has a Reply-To address going to a personal email account.
- You receive a message from someone you know, but the tone or wording just does not sound like him or her. If you are suspicious, call the sender to verify they sent it. It is easy for a cyber attacker to create a message that appears to be from a friend or coworker.
Ultimately, common sense is your best defense. If an email or message seems odd, suspicious, or too good to be true, it may be a phishing attack.
Source: SANS OUCH! Newsletter