Friday, August 2, 2019

What to do (and not do) with suspicious emails

Everyone with an email address receives phishing emails, at home as well as work. Here is a list of do's and don'ts culled from Navigating the Phishy Social Engineering Ocean by Cheryl Conley at https://medium.com/sans-security-awareness/navigating-the-phishy-social-engineering-ocean-5882e8965fa2:

Do:

  • Check the From address, be wary of fake or unknown domain names, and be sure the domain
  • name properly corresponds with the sender’s display name.
  • “Mouse over” links (hover over links with your mouse cursor) to see the real destination.
  • Use a unique password for each online account, and immediately change it if you suspect a
  • breach. For added protection, consider (1) using a passphrase and (2) implementing two-step
  • authentication.

Do not:

  • Click links or attachments unless you’re sure the message is from a trusted source.
  • Give out personal or private information to an unknown.
  • Succumb to emails just because the branding looks real or the sender appears to be someone
  • you know.
  • Click or call listed phone numbers that are included in pop-up ads or threatening emails.
  • Reply to phishing emails.

Other red flags:

  • Mismatched URLs — hover your mouse over the link and compare the destination URL with the
  • displayed URL.
  • Poor grammar and spelling could be an indicator.
  • A request for personal information.
  • Asking for money, especially with urgency.
  • An offer that appears too good to be true.
  • Unrealistic or unlikely threats.
  • Content just doesn’t look right — trust your gut.