1. An Introduction to Attacker Tactics
First, it's important to be aware of the motives and tactics of attackers. One of the most prevalent motives of attackers is to obtain your personal information and/or gain access to your accounts. This type of attack, known as "phishing," usually attempts to appeal to your emotion in order to get you to click on a malicious link and provide sensitive, personal information, such as your account username and password. Attackers will often craft the link and its corresponding webpage to appear legitimate. I will provide an example of a phishing attack later in this blog post.
This attack is sometimes taken a step further in a tactic known as "spear phishing." Spear phishing is focused towards a particular organization and/or previously gathered details on the targeted individual. For example, the attacker may gather from your Facebook page that you work for a particular organization or have an account with an online retailer such as Amazon. The attacker will then leverage this information by including some of these details in the spear phishing email so that it appears legitimate. Remember that attackers will attempt to use any information than can glean from your Twitter, Facebook, Instagram, Blog, etc. against you. Never post anything personal or that could in any way be considered sensitive.
Another common attacker tactic is to attach a virus to the email, hoping that you will download and run the virus on your computer. The virus may then steal your information, destroy your files, and/or attempt to spread to other devices on your network. This can be especially dangerous in organizational settings when the virus spreads to other devices on the organizational network.
2. Before You Open The Email
The best way to avoid damage from a malicious email is to never open it in the first place. Here are a few questions I ask myself before ever opening a suspicious email:
- Is there anything in the subject line that looks fishy?
One of the first indicators of a malicious email is the subject line. Malicious emails often contain obscene subject content and/or spelling/grammatical errors. I list this step before checking the sender because even legitimate sender email addresses can be compromised by attackers and then used to send malicious emails to the contacts of the compromised email account. If the subject looks fishy, delete it--even if it appears to be from someone you know. That person's email account may have been compromised.
- Does the sender appear legitimate?
Be aware that just because the sender appears to be someone that you know, doesn't mean that the email is actually from that individual. Besides an legitimate email account being compromised (see above), attackers can craft emails to appear to be from a particular name, even if that name does not belong to the attacker. For example, an attacker could check your Facebook account to identify one of your friends, then craft an email to appear to be from that person. If you are able to determine the actual source email address of the email before opening the email, do so.
For example, the following image shows an email from "Nintendo." However, in Gmail, by mousing over the name of the sender of this email, a box appears showing us the actual email address of the sender, "nintendo@em-news.nintendo.com." This email address appears to indeed be legitimate. It is always a good idea to verify that emails are actually from who they say they are from. This isn't a perfect way of determining whether the actual email address is legitimate, since an attacker could create an email address that appears legitimate or compromise a trusted contact's email account (as described above); however, I have often found that malicious emails are from suspicious email addresses.
- Is opening the email really worth the risk?
Lastly, before opening the suspicious email, think one more time about whether it's really worth the risk of opening the suspicious email. Remember that most organizations, including banks, should never contact you through email to ask for personal information. Many emails telling you that you need to log in immediately in order to stay protected or retain benefits are actually phishing attempts. This is also true of emails telling you that you've one won a prize. If there is really an important legitimate need for an organization to contact you, the organization will find a way to contact you.
3. If You Open the Email
If you choose to open the email, here are a few things you should be aware of before doing anything else:
- Again assess the legitimacy of the email.
You should again assess the legitimacy of the email, this time focusing on the email's body (make sure to hold off on downloading any attachments). Follow steps similar to those you followed before opening the email. Many attackers are based in countries where English is not the native language. As such, malicious emails often have poor grammar/spelling. Seeing any typos and/or grammatical errors should raise some very prominent red flags. - Be very cautious about downloading any attachments.
Be aware that email attachments are often used to spread viruses. If you have any doubts at all about the attachments, don't download them. Remember that viruses can spread via files other than just executables. Be very cautious before downloading anything from an email. - Assess any links/buttons in the email.
Be very wary before complying with any actions the email asks you to take. Attackers are very good at making phishing emails appear legitimate. The text in the email can appear legitimate, the link in the email can appear legitimate, and even the website that the link/button takes you to can appear to be legitimate. One of the best ways to assess the true legitimacy of the email is to inspect the link/button before clicking it.
For example, the following image shows an example of a phishing message. As you can see from the text of the email, it is attempting to appeal to your emotion--endeavoring to get you to act quickly and click the link before thinking (people tend to be less careful when acting out of urgency) by saying that you aren't safe otherwise. This is a very common tactic used in phishing emails. You'll also notice that, at first glance, the link appears to go to www.google.com. However, we can and should inspect the link closer before clicking it. Websites and email links are written in such a way that allows the displayed text to differ from the actual address that the link takes you to. Most internet browsers will show you the actual address of the link in the bottom left corner of the browser window when you mouse over the link. The image below shows an example of this. As you can see, the actual link takes you to www.google.stealyourinfo.com. Herein lies another tactic that attackers often use. Someone performing only a quick scan of this address may see the "www.google" at the beginning and immediately proceed, believing that the link is legitimately from Google. However, upon closer inspection, you'll notice that the "google" portion of the address is merely a sub-domain (sub-section) of the website. The real base website that the address will take you to is stealyourinfo.com. If you clicked the link, this fraudulent website would likely look very similar to a Google website, and may even have some of the Google logos on it--but would likely steal your account username and password when you entered them on the website. Therefore, when inspecting addresses, first find the right-most website domain name (the name that comes just before the .com, .edu, .net, etc.)--this is the website that the link will really take you to. Anything preceding it is simply a sub-domain of that website. This same practice can also be used to inspect links found on websites. Obviously, a malicious address will likely be something much less obvious than stealyourinfo.com. Attackers often choose a name that appears at least somewhat legitimate. However, if it doesn't look exactly right and/or doesn't exactly match what you know the website should be, don't click the link. If possible, avoid using links/buttons provided in emails altogether. Instead, go to the website directly and find the corresponding page yourself. If you can't find anything about the email's requests on the legitimate website that you went to directly, the email is likely a scam.
I hope these simple tips will help keep your email and internet browsing experience safe. Remember, one action can cause a lot of damage. "Think twice before you click."