Practical Advice To Stop Malware, Phishing & Spoofed Email Attacks From Head of IT

This is a note I sent to our entire company last week. It was thought to be useful and I've been asked to share it with other readers:

IT has noticed an exponential increase in malware, phishing and spoofed email attacks against our users. We have strong filters in place that catch the majority of malicious emails, but nothing is perfect. Our last line of defense is YOU. When you receive an email with an attachment or link, it is important that you exercise caution. Below are a few guidelines that will help you determine whether an email is safe or not.

Spoofed email addresses are emails that appear to come from someone @alienvault.com (or another domain), but aren't actually from that user. We have seen the largest jump in these types of emails. These were initially targeting finance personnel and executives, but have recently spread to more users in the organization. We have strong SPF and DKIM enforcement set (SPF lets a mail admin specify what IP addresses are allowed to send email for a domain). While this will protect us from internal spoofed emails, it will not protect us from external domains that are being spoofed.

How do I recognize a spoofed email?

• Analyze the salutation: Is the email addressed to a vague “Valued Customer”, your email address, or ‘Greetings User’?
• The email is requesting that you perform an action urgently. i.e. transfer money, click on a link, open a file, etc..
• Review the signature for anomalies.

Phishing email – An attempt to harvest a user’s credentials. These will usually come from a spoofed email address, or from a legitimate user that has fallen victim to a phishing attack.

• Look but don’t click: Hover your mouse over any links embedded in the body of the email to see the real address. If the link address looks weird, don’t click on it. Example: Secure O365 Login
• Analyze the salutation. This may actually be legitimate so be careful!!! If the email comes from a compromised user with a good address book, then the salutation may be spot on.
• Give a fake password: if you not sure if a site is authentic, don't use your real password or username to sign in. If you enter a fake password and still appear to be signed in, you're likely on a phishing site.
• Attachments: If you open an attachment and it asks you to enable something in word, adobe, etc., it is more than likely a phishing email and may have malware, too.

Malware – An attempt to infect a user’s device with malicious software. We are especially seeing a large uptick in trojans being sent. Some were only spotted in the wild a few weeks ago.

• These are delivered via a URL or email attachment.
• Does the subject line or body of the email seem out of character or unusual given the sender, especially if you are not expecting an email from that organization or person?
• Check the URL before clicking by hovering over the link in the email body.
• Beware of attachments that need to be unzipped or ask for additional action on your part.

If you are unsure, please do not hesitate to contact your IT department for assistance.