As you may know, October is Cyber Security Awareness month. Being an IT Security Professional, I wanted to use this month to provide a series of posts that provide tricks and tips on how to better protect yourself and your organizations. Each week, I will provide a specific theme in my posts and videos.
Week One, the focus will be on Employee Awareness. I chose this as I believe employees are not only the first line of defense but can often be the weakest link and most value tool to protect the organization. Understanding what is out there and how threat actors are trying to gain access is fundamental in defending the front lines.
The first thing I do when examining an email is work my way up from the bottom. In reviewing emails, I ask myself if there is a signature line. Since I do a lot of business to business transactions, it is common to see an organizations signature line in the body of the email.
In this example that I pulled from my SPAM folder, you can see that there is no signature line. This is my first red flag that this email may not be legitimate; strike one. From there I shift my focus up to the email address.
In this case, the email address was from someone I clearly did not know but upon further inspection, I noticed that the domain had an extension of .hn. At first I thought this domain may have come from Hong Kong but I later remembered that the extension is .hk. In doing a quick Google search, I found that .hn is a top-level domain from Honduras; strike two.
At the top of the email is the subject line and perhaps the biggest giveaway (aside from the huge red banner from Google) that this email has fraudulent tendencies. Typically an email will have “Re:” in the subject line when you have previously corresponded to that message. I know that I had not so…..strike three.
What is more curious, is that the email spells the word “Inquiry” with the British English version “Enquiry”, but this email was supposedly from Honduras which is primarily Spanish speaking with some pockets speaking Creole English. That’s not to say that there are not any British in the region, but just solidifies the suspicion.
Taking Action on Suspicious Emails
Now I don’t want to get ahead of my future posts on technical controls as I want to dedicate an entire week to various technologies and tools that can help improve overall security but as an employee there are a few practical steps you can take when faced with a similar threat.
First, if the email is from an address that you do recognize but the contents of the email and the body are suspicious, I would recommend calling your contact with a good last known phone number (not the one in that suspicious email) and ask them directly if they sent you that email. There is a good chance that they did not know that their email was compromised.
Many organizations have a specialized team that handles SPAM and/or suspicious emails. They go by many names but often are referred to as the Cyber Security Incident Response Team or CSIRT. If they have set up a dedicated email or button to use on emails that are suspicious, use it; otherwise forward them the email for analysis. They should be able to tell you more or less if the email is legitimate.
If your organization does not have a CSIRT, then it may be best to speak with a manager and then delete the email. Do not under any circumstances respond to the email, open any attachments or click on any links unless you are certain that the email is legitimate. Doing so can place you on an endless SPAM campaign, can cause instabilities to your systems or worse, you could be the next person responsible for introducing a ransomware malware into the corporate environment.