It’s much easier for an attacker to “hack a human” than “hack a machine”. This is why complicated attacks against organizations often begin with the end user. Although e-mails with malicious links or attachments are often dismissed and referred to as “spam”, these messages are often the beginning of a sophisticated hack against a company. Unfortunately there is no “silver bullet” that can prevent these attacks from taking place.
I recently had the opportunity to give a presentation during one of our client’s all-staff meeting. Despite the fact that our client’s company resides in a relatively niche market, I was able to discuss several data breaches that took place in their industry within the last year. Not only did the hacks all take place recently, they were all the direct result of actions taken by an end-user. A majority of these attacks were caused by an employee opening a malicious e-mail. I gave our customer the following advice to help them avoid becoming a victim of Phishing e-mails and felt that it was worth sharing on StateOfSecurity.com.
Verify link URL: If the e-mail you received contains a link, does the website URL match up with the content of the message? For example, if the e-mail indicates you are about to visit a website for FedEx, is the address actually FedEx.com? A common tactic used by attackers is to direct a user to a similar URL or IP address. An example of this would be to direct the user to FedEx111.com or FedEx.SE as opposed to the organization’s actual URL.
Verify e-mail address of sender: If the e-mail message you received came from a friend, colleague or vendor, did it actually come from their e-mail address? It’s worthwhile to take a few extra seconds to ensure that the e-mail actually came from the aforementioned colleague, friend or vendor. Also, avoid opening e-mails from generic senders such as “Systems Administrator” or “IT Department”.
Exercise caution from messages sent by unknown senders: Be cautious if a message comes from an unknown sender. Would you provide your checking account number or password to a random person that you saw on the street? If not, then don’t provide confidential information to unknown senders.
Follow up with a phone call: In the event you receive a message requesting that you validate information or need to reset your password, take some time to follow up with the sender with a phone call. Trust me, your IT department will be happy to spend a few seconds confirming or denying your request as opposed to dealing with a malware infection. Also, if your “bank” sends any type of e-mail correspondence requesting that you perform some sort of action, it’s worthwhile to give them a call to confirm their intentions. Always be sure to use a number that you found from another source outside of the e-mail.
Spot check for spelling/grammar errors: It is extremely common that malicious e-mails contain some sort of spelling mistake or grammatical error. Spelling mistakes or grammatical errors are great indicators that you have received a malicious e-mail.
Do not open random attachments: If your e-mail messages meets any of the above criteria, DO NOT open the attachment to investigate further. Typically these attachments or links are the actual mechanism for delivering malware to your machine.
This blog post by Adam Luck.