When you see an e-mail from an old friend who you haven’t spoken with in a bit – what do you do? Do you trust the e-mail – because you recognise their name? Or do you trust but verify the details before taking actions like clicking links/attachments etc?
If you are a “Truster” — you might be setting yourself up to get spear-phished. Spear-phishing is where a hacker pretends to be a friend, a colleague or a known brand to get you to open an e-mail and take an Action. The Action might be to click a link, open an attachment OR send out a Wire Transfer.
“These attacks are real. The FBI estimates that in the last 2 years 7,000 companies have lost more than 750 Million because of e-mail related issues! Interestingly most of these companies have spam and virus filtering that fails to protect them.”
So “Truster” or “Verifier” what can you do? Here are ten tips for not getting spear-phished:
Watch the e-mail subject and tone:
1. Be extra careful with any e-mails that try to cause a sense of urgency or fear. E-mails focused on financial transactions or those where you urgently need to do something are designed to get you to take action without thinking.
2. Be careful of communication you weren’t expecting. For example, you know if you placed that order on Amazon — so assume that an unexpected Amazon e-mail is a phishing message.
3. Be extra careful around e-mail concerning financial transactions. Don’t click the links or open the attachments. Go right to the financial institutions website to interact with them.
Look at the e-mail senders information carefully:
4. Watch for misspelt names and unusual e-mail addresses. For instance, if your friend normally e-mails you from email@example.com but today the email is coming firstname.lastname@example.org – be much more careful before taking an action.
5. Always distrust e-mail from people you don’t know. For example, if your Manager’s Manager doesn’t know you and never talks to you — but today you are getting an e-mail from her asking you to do something – check it carefully.
6. Look for changed patterns of behaviour. For example, if your wife always e-mail your @gmail.com address but today her e-mail is coming to your work address it is a change in her behaviour. These don’t happen regularly and may indicate something phishy!
Examine all the links:
7. Hackers use a combination of good and bad links in each e-mail. Hover on any link you will click to check it out before you click it.
8. Be careful with shortened links such as tiny.url or numeric links. For example if you get a link to http://www.amazon.com in an email but when you hover on it is shows http://tiny.url/amazon or http://188.8.131.52/cgi-bin/index.pl don’t click the link. Instead open a browser and type in www.amazon.com — which is the address the link is trying to take you to.
9. Don’t open any attachments that are for executable files. Bad attachments can result in a hacker holding your computers hostage by encrypting all its data with cryptolocker or worse installing a keylogger that gives them full visibility into all your usernames and passwords. If you are running Anti-Virus make sure it is set to auto-update daily, and to scan everything that runs. Also make sure to turn automatic OS updates on.
10. Don’t trust Microsoft Office or PDF type attachments. These attachments can contain malicious code that executes and causes similar issues to executable type files. I recommend that you turn Macro’s off on Microsoft Office apps and set both Microsoft Office and Adobe Acrobat to auto-update.
So regardless of whether you are a “Truster” or a “Verifier“, I hope that these ten tips help you not get spear-phished!
Gagan Prakash, Founder and CEO of Astra IDentity, Inc