‘Are you there?’ This single line is the message body of a phishing email. The sender appears to be a trusted member of your organization, maybe even your boss. But look a little closer. Is that a recognized domain that your boss is sending from? The email might look something like this:
From: Joe Johnson <firstname.lastname@example.org>
To: Sandy Shores <email@example.com>
Subject: Follow up?
Are you there?
Joe Johnson is Sandy’s boss. So it is likely that Sandy will respond.
From: Sandy Shores <firstname.lastname@example.org>
To: Joe Johnson <email@example.com>
Subject: Follow up?
Sure. What can I do for you?
The phisher has dangled the bait and Sandy bit the hook. What happens next is a request, usually for a wire transfer of money or a purchase of gift cards. Hopefully, at this point Sandy will reach out personally to her boss, Joe Johnson, to verify the request.
Go back to the first email exchange. At first glance, it appears that Joe Johnson has sent the email to Sandy. However, look at the email address itself. This is not sent from Sandy’s organization, Trusting.org. This phishing scam is not terribly sophisticated but it works. The user is easily tricked into an email from a trusted member of their organization and does not see the need to scrutinize the content or the email address of the sender.
How can you protect yourself and your organization from phishing emails?
- Examine the sender’s email address and verify that it is legitimate
- Don’t click on links or open attachments from unsolicited senders without first verifying the validity
- Report suspicious emails to your IT department
- NEVER respond to requests for money or gifts without personally verifying the request with the sender
- Education is key to handling phishing emails. Make sure everyone is educated on key components of phishing on a regular basis. If there is an active phishing scheme making the rounds in the organization be sure to alert everyone.