Introduction
While there are tools that help us fight spam, viruses, and other malware, the most important weapon we have is our own ability to identify when an e-mail just doesn’t seem right. Whether it’s a friend or co-worker in distress or a company who says there’s a problem with your account, criminals try to manipulate us into opening attachments, clicking links, and entering personal information that helps them gain access to our accounts.
Here are a few types of attacks to keep on your radar.
Spam
Did you know that 70% of all email is spam? Thanks to the filters enabled by your business and/or email provider, most of this will be kept out of your inbox and routed directly to your spam/junk folders. Because it’s a cat-and-mouse game, occasionally something will pass through, but these are fairly easy to spot:
- it’s from somebody you don’t know
- it’s advertising a service you don’t want (fake dating sites, online drugs/pharmaceuticals, unsolicited mortgages/loans)
- it’s poorly written, extremely terse, or in ALL CAPS
- it’s an image that links to a bad website/URL
Unfortunately there are few proactive measures you can take against spam, particularly if you are required to publicly list your contact information. Learn to identify spam that escapes your email filtering system, and use the “Mark as Spam” or “Move to Junk” features of your email client to help cut down on these kinds of emails in the future.
Spear-Phishing and Other Phishing Attacks
Phishing is a different category of spam that attempts to solicit personal information about you or your accounts, including passwords and credit card information. These are harder to spot as they are designed to spoof legitimate companies. Often, phishing emails will include a link to a website that looks like a retail or banking website, a social network, or UPS/FedEx. The fake shipping confirmation/notifications are especially prevalent around the holidays.
Whereas phishing attacks cast a wide net, spear phishing attacks target individuals by using personal information about you, your friends, and your workplace. Because spear phishing uses your social network against you, it requires you to scrutinize emails that appear to come from people you know. Here’s how to spot spear phishing emails:
- it’s from a name you know, but the first part of the email address is wrong (johndoe1@example.com instead of johndoe@example.com)
- it’s from a name you know, but the second part of the email address is wrong (johndoe@examplle.com instead of johndoe@example.com)
- it contains a link to a website
The example above lists a URL that seems legit, but hovering over the link discloses where it’s really going:
When in doubt, open up a new tab and navigate directly to the website you know and trust and look up your account details there. And remember: legitimate businesses will never ask for your password.
We’ve written about steps you can take to identify spear phishing emails on the Twin State blog if you’d like to learn more.
Social Engineering
Social engineering is similar to spear phishing because it targets individuals directly. Social engineering attacks are often phone-based, where a caller in distress will try to solicit personal information or reset account credentials. There have been some high-profile social engineering attacks you may have heard about, such as the 2012 case where a hacker pieced together information from Apple, Amazon, and Twitter to gain control of a journalist’s accounts. However, small organizations are vulnerable to the same kinds of tactics. Be cautious about disclosing — or even confirming — sensitive data over the phone.