Don’t Bite the Hook: Email Phishing

This is the second in a series of guest blogs Connected Nation will be posting from CN alumni Dr. Michael Ramage. This series will focus on various facets of cybersecurity and things you can do to help protect your information in a connected world.

Bowling Green, Ky (May 6, 2020) – COVID-19 is changing everything in our society, including the way we work, study, and communicate. While most of us are focused on staying healthy and getting by the best way we can, cybercriminals are trying to exploit the pandemic to steal from us through email phishing.

Phishing is a technique cybercriminals use to trick people into clicking a link or opening a file. Typically, the file or link will provide the exploit needed by the hacker to ultimately comprise your computer and network, likely costing you financially.

The sophistication of hackers has increased dramatically over the last decade, but email phishing remains one of the most popular ways of attack. Globally, some report that between 75 percent and 90 percent of email is spam, and according to a recent CSO article, 94 percent of malware is delivered via email. Eighty percent of reported security incidents were due to phishing attempts.  

These numbers are staggering and translate to the average user deleting about eight out of every ten emails. So why don’t we delete our emails? People are TOO trusting, and the cybercriminal exploits that trust. Below are five tips that I share with others to help prevent them from being a victim of email. Each item has the same theme. When reading an email, your default position should be “DO NOT TRUST!” Assume the email is spam or a phishing attempt until otherwise proven.

  • DO NOT trust the name or email header shown. An easy way for cybercriminals to trick email recipients is by changing the sender’s name or altering items in an email header.  Just because the email may read that the email is coming from President Trump doesn’t mean it is. It takes minimal effort to change the name of the email.

Tip: In most email applications and web email interfaces, you can click on the sender’s name to see the sender’s real email address. If the email address is not exactly as expected, you should not trust anything else in the email.

  • DO NOT trust any link in an email. Another trick of cybercriminals is to embed a link that says one thing in the email, but instead, it goes to a malicious website. DO NOT CLICK THE LINK! If in doubt, hover your mouse over the link to see where the real link points. It doesn’t matter what it says in the email. It does matter where the raw source code points. It could be different.

Tip: Even if you are expecting an email from the individual with a link and you have verified it’s valid, I recommend that you copy the link and paste it into a new browser, again double-check the URL to confirm its validity and go from there.

  • DO NOT trust attachments. If you are sent an email attachment, do not trust it. Do not open it. Attachments are an excellent way for malicious code to be installed on your computer. One recent example was an email that appeared to be coming from Walmart that was asking users to open a file or risk not receiving a package they had ordered. For the vast majority of people who received the phishing email, they just deleted, but for those individuals who had a pending order from Walmart, they may have opened the attachment. Be very careful. If you haven’t requested the attachment, proceed with great caution.

Tip: Even if you are expecting an email from the individual and you are expecting the individual to send you a file, I recommend that you tread carefully. If in doubt, call them to double-check they sent it.

  • Read the email carefully. Most businesses take extra precautions to ensure there are no spelling errors. Most companies will try to personalize emails and finish an email with a personal signature. If any of these items are wrong, the email is likely a phishing attempt.

Tip: Criminals have convinced users to send prepaid iTunes gift cards to pay for their IRS bill. First, the email typically included multiple typos. Second, the IRS will never do that. If an email contains typos, sayings that seem odd, or threatening language, do not trust anything else in the email.

  • If it is too good to be true, it probably isn’t true. If you receive an email stating that you have won something, please consider it skeptically. Bill Gates probably doesn’t want to give you money.  

Tip: Users have been receiving emails with claims about a vaccine, charities raising money for first responders, or testing that can be completed in a method much better than reality. As with all examples, your default position is NOT to TRUST the email. If there was a cure for COVID-19, don’t you think you would hear about it on the news?

For anyone reading this, I would offer two primary takeaways: DO NOT TRUST and DO NOT CLICK. When you read an email (personally or professionally), read emails with skepticism, looking for proof that the email is what it claims to be.

If you have additional questions, please reach out to Dr. Ramage at mramage@murraystate.eduor 270-809-3987. You can also reach out to Wes Kerr, Director, Community Solutions, at wkerr@connectednation.orgor 877-846-7710.

Share this Post