I recently received an email from a legitimate source. The sender was known to me. Plus, I was waiting for the sender to email me some information. That said, I was somewhat surprised when I received an email that said “Information Report” when I was expecting something else.
Being conscientious, I emailed the sender and asked if this was what I had been waiting for. The sender replied “Yes, it’s legit.” At that point, you are safe to open the attachment, right? Not in today’s world.
Here are some reminders to help you avoid taking the bait from an email phishing attempt.
Isn’t phishing fun?
Phishing is fun — for the bad guys. In today’s connected world, hackers are looking for ways to get your user names and passwords. Clicking on the bait, typically an email attachment or hyperlink, can lead you to what looks to be a legitimate webpage, asking for your email username and password. Once you enter it, the bad guys have your information and will go to work. In the scenario set out above, the bad guys start sending the same email to everyone else in your contact list.
Of the many bad things, you don’t typically know that you have swallowed the hook until you may see lots of increased undeliverable emails and/or start getting calls from everyone in your contact list. Not fun.
Don’t take the bait
It’s easy to get hooked. We are all busy. We don’t have time to check every email and see if it’s really legitimate. Here are some tips avoid getting hooked:
Beware of suspect subject lines/content/senders: You may see an offer for something that’s too good to be true. Remember the old adage: if it sounds too good to be true, it probably is.
Avoid the rush: If you see something that says respond quickly or your account will be terminated or you will be charged money, there’s a good chance this is a phishing email. If you have a question, browse directly to the site in question; don’t click the link in the email. At the source site, check your account and make sure everything is OK. While you are there, change your password.
Look, but don’t touch: Be wary of hyperlinks. Remember that you can hover your mouse pointer over a hyperlink (don’t click) to see where the hyperlink is really going. If the URL looks suspect, back away quickly.
When in doubt, pick up the phone: If you get a suspicious message from a colleague, give them a call. We can look out for each other and help save some headache. It’s a pain to answer 100 calls about getting a suspect email, but it’s better to be safe than a victim. Be sure you have your resident IT expert on speed dial, too.
How do you know you were caught?
Check your sent mail. You will see messages sent to your contacts asking if the message is legitimate or spam. The auto responders are getting good, even sending multiple responses with different text answers claiming that the email is legitimate. When in doubt, throw it out. That’s a sure sign you’ve been compromised.
You also may see increased undeliverable messages, indicating that something is trying to email every address in your account. And, people will start emailing and calling you to ask you about the messages.
What do you do if you get hooked?
Call your IT folks pronto. Change your passwords to your email or any other accounts that may have been compromised. It can happen to anyone, and you may not even notice until it’s too late. More drastic measures may be required, but that’s beyond the scope of this article.
Make sure your software is up to date
Keep things up to date so you have the best chance to avoid these types of situations. With the recent rash of these types of attacks, it might be a good idea to have your IT vendor conduct a security audit for you and/or your firm. You can never be too careful.•
Seth R. Wilson is an attorney with Adler Tesnar & Whalin in Noblesville. In addition to practicing law, he helps manage the day-to-day technology operations of the firm. Seth writes about legal technology at sethrwilson.com and is a frequent speaker on the subject. The opinions expressed are those of the author.