Email Safety

RSS Feed

Different types of email attacks and what to do to be safe.
The threat of email attacks increases each day, do not underestimate them. The intention of these emails is to trick you into sending money or revealing passwords to accounts, banking information, Social Security numbers, EIN’s, mother’s maiden name, date of birth, or other personal or company information.
​
You should know about the various types of malicious emails and how to avoid them. In this document I’m going to cover two of the most common malicious emails you might face with your business and how to avoid them.
 
Phishing Email Attacks
Phishing emails refers to instances where the scammer sends out a mass email to every address they can glean by whatever method. The hope is that at least a few people will be gullible enough within that mass emailing to respond and send cash or personal details.

Some examples of Phishing emails:

• They ask you to confirm your credentials to some online service, like your online banking or webmail.
• They email you a document and when you attempt to open it you’re asked to login to what you think is your email system, it’s not.

 
Business Email Compromise Attacks
Where Phishing emails are generic in nature because it targets a large audience, Business Email Compromise(BEC) attackers do their homework by gathering information like names of company officers, your organizational structure, and companies you deal with, including financial institutions. They use this information to steal the identity of company officers or owners to defraud the company or its employees, customers or financial partners.
 
Some examples of BEC emails:

• An email arrives that appears to be from a high-level executive within the company, a business partner or company attorney. Since the email address has been spoofed, it appears to be legitimate. A request for a wire transfer is included in the email, which urges the recipient to take immediate action. I’ve also seen request to purchase VISA gift cards.
• Again, pretending to be an executive officer, they email employees asking for login information to financial institutions, the email system, or other confidential information.

 
How not to be a victim:

1. Look for bad spelling and/or poor grammar in an email claiming to represent a company or organization. However, they are getting more sophisticated so don’t assume it’s legit because of proper spelling and grammar. 
2. Watch for spoofed emails- Guardian protects our customers domains from being spoofed, however, they can get around this by using a similar spelling of your domain. Instead of ABCSUPPLY.COM they use ABCSUPLY.COM, or even [email protected].  Make sure emails have the correct spelling on the “from” address field or inside the message header. (Email spoofing is a forged email message that appears to have originated from someone or somewhere other than the actual source.)
3. A request for money should be treated with suspicion until proven otherwise. Always confirm requests for money.
4. Do not trust emails asking you to confirm your password. Or, they email you a document and when you attempt to open it you’re asked to login to what you think is your email system. STOP, it’s not your email system and you’re supplying them your credentials.
5. Do not publish employee email addresses or other sensitive information on your company website, social media or any online publication.
6. Develop security policies within your company, your vendors, and customers. 
   

Security Policy Examples​:

• Money transfers requests, or similar like Visa gift card requests, will never be made via email. 
• Confidential information requests via email must be verified. It’s recommended not to email or text confidential information unless you are using encrypted email.
• Do not provide confidential information on the phone unless their identity is known and verified and allowed to access such information. 

​If you have questions or feel you've experienced a compromise you should call Guardian immediately.