We’ve been using email in corporate America since the early 1990s. More than a quarter century later, we still don’t know how to use email safely. The most common attack method of malicious hackers against corporations is email phishing. These hackers use trickery to fool us into giving them access to our email, our data, or even our personal information. The solution is constant, non-stop user education. Here are six straightforward lessons for anyone who uses email (aka “everyone”) to abide by in order to keep their email safe.
- Email headers – If an email seems remotely suspicious, you can check the email headers. Here’s how to check email headers in Outlook, and here’s how to check emails in Google Apps or GMail. It’s easy to “check the headers” of any email, but now the question becomes “What am I checking for??” This article explains what an email header contains and what to look for to verify the email. In short, an email header contains “particular routing information of the message, including the sender, recipient, date and subject.” Checking email headers in messages that seem suspicious can help you quickly determine whether or not the email is from a legitimate source and is not malicious.
- Links – If a hacker can get you to believe their email is legit, the easiest way to get to more information is to get us to click on a link. If you don’t know what the link is, do not click. Instead, hover your mouse over the link for a second. Doing so will allow the actual link URL to appear so you can see whether it is actually the link you want to click on. If the link looks even remotely suspicious, do not click on it.
- Attachments – Similar to suspicious links, do not download attachments that you are not expecting or that you do not recognize specifically. If a hacker can get you to download an attachment to your mobile phone, your laptop, or to a network drive, then that hacker is in and can do untold damage. Even the smallest attachment can be a virus, malware, or ransomware. If an attachment is unexpected or looks suspicious, do not download it.
- Domains – Who is the email from? If it’s not immediately clear, you now know how to check the header and verify who the email is from. One of the most infamous cases of a “mistaken” domain happened years ago when PayPal was on its meteoric rise in popularity among individuals to send money to one another. A hacker created fake emails using the domain “paypai.com”, which looks a LOT like “paypal.com”, and fooled thousands of people into handing over their bank and credit card information.
- SSL certificates – An SSL certificate is a small data file that digitally binds a cryptographic key to an organization’s details. That’s a very techie way of saying “the organization is verified by a trusted third party.” If the email you’re reading was sent from an organization that has an SSL certificate installed on it’s website, there are two things you will see. First, the website URL will begin with “https” instead of “http”, where the “s” indicates that the domain is secure. Second, the word “Secure” will appear in the very left side of your web browser’s address field. If you click on that word “Secure”, you will see the verified information of the owner of the website domain.
- Personally Identifiable Information (PII) – Personally Identifiable Information, or PII for short, is just what it sounds like. It’s personal information about you that can enable someone to know your identity. This data includes your birth date, your home address, your social security number, bank information, driver’s license data, credit or debit card numbers, usernames and passwords, and other information that you would not normally share with anyone you don’t know. Do not ever put any of this type of information in any email for any reason. No matter how much the entity on the other end of the email wants you to and tries to convince you it’s OK. Do not do it.
Phishing works and has for a long time. Hackers continue to use it as a simple technique for gaining access to secure data because it works so well. Phishing works because we, as professional organizations, assume that everyone knows the six points above by heart. But they don’t, so we have a duty to our organizations to constantly educate all our employees.