Trust but verify? No. Trust no one when it comes to email.
When you receive an email with an attachment or a hyperlink/URL you must remain vigilant and suspect that it may be malicious - even if you received it from someone you know. DO NOT rely on your antimalware software to catch everything because it won't.
Phishing is a lucrative business and as long as people continue to take the bait, the bad guys will continue to evolve their craft to cash in.
What are we seeing? Here's a few examples:
Student receives a phishing email and clicks a malicious link or downloads an attachment with malware. One way or another their credentials are stolen, the bad guy logs into their account and gathers information. Bad guy cancels students class and redirects refund to bad guys account. Student finds out their class has been cancelled and they did not get the refund.
Similar story for unsuspecting employee except the bad guy creates an inbox rule in their email account that redirects specific emails to their Deleted Items folder to cover their tracks. Bad guy logs in to employee's payroll account and changes direct deposit bank routing info to bad guys bank account. Employee doesn't find out until payday.
Another employee receives a phishing email from someone they know, another employee or a supervisor, directing them to pay an invoice with bank routing information. They pay the invoice and sometime later discover the intended recipient never received the payment - it went to the bad guys bank account.
Companies and individuals are falling victim at an alarming rate and losing vast amounts of money to these schemes.
Who is the target? You are. If you or your company has money, the bad guy wants it and will do whatever they can to get it.
What can you do?
Phishing emails range from the obvious to the very well crafted. Let's assume you notice the obvious right away and delete them or, better yet, report them to your antimalware provider or to the institution the email claimed to originate from, like PayPal, eBay, etc. But for the well-crafted emails that appear to be legitimate:
Do you remember the Stop! Look! Listen! before you cross the street slogan? Sort of like that - only different.
1. Slow down and read the email carefully and don't click anything or download anything. If you are suspicious, your spider senses are tingling, STOP!
2. Were you expecting an email from the sender? If you weren't, that's a clue, STOP!
3. Oh, you were expecting an email from the sender, or maybe during the normal course of business it would be normal to receive an email from the sender, LOOK!
a. Pay close attention to the request
b. If money is involved, like paying an invoice, or refunding money, or simply money leaving the organization or your bank account then verify the account or bank routing info is accurate, call the sender, IM the sender, but don't rely on email for verification. If it is malicious then you can only assume the sender's account is compromised and the bad guy will be the one verifying.
c. Is there a link suggesting you verify your account, update your account, or prompting you to log in to a portal you are familiar with? STOP!
i. Hover over the link and verify the URL matches what the link presents itself as.
1. Ex: You hover over a link for paypal.com but the link is actually to something like pay-pal.com or even something completely off the wall like greatrebates.vz
ii. The bad guys are very good at faking well-known portals, especially duping you into logging into a portal you would normally log in to.
iii. If malicious, the bad guy will be successful in harvesting your credentials, accessing your account, collecting intelligence, and doing further costly damage.
4. Just because your friend or a family member sends you another cat video it doesn't mean you should assume it is safe. STOP!
5. Approach every email with suspicion, and LISTEN! to your instincts. You are probably right. What's the worst that can happen? If you don't click the link or download the attachment, you still have your money. You owe that to your family or your employer to be vigilant.
If you can't resist clicking a link or downloading an attachment you should probably stay away from email. Phishing lures can be very attractive. If they weren't, the bad guys wouldn't be doing as well as they are and they would move on to other nefarious schemes.
Enabling Technologies is a Microsoft Gold Partner and highly recommends subscribing to Office 365 Advanced Threat Protection (ATP) for Office 365 email. Office 365 ATP provides a means to protect your email from malicious links and attachments. For more information please read these articles: http://blog.enablingtechcorp.com/security-update-what-to-do-with-end-users-who-are-click-happy http://blog.enablingtechcorp.com/making-the-case-for-microsoft-office-365-advanced-threat-protection
and contact us at firstname.lastname@example.org for more information.