Last week, when posting on LinkedIn about a new type of phishing scam, callback attacks, we promised to blog here with some ideas on how to deal with suspicious emails in your business or personal inbox.
As for callback phishing attempts, later that very same morning our head of sales received one pretending to be from Best Buy, shown here in the following image:
The Geek Squad message he received was clearly unsafe since it was sent from a gmail address. That said, sometimes phishing attempts can look very real so here are some simple steps you can take when uncertain if a message in your inbox is legitimate.
Pick up the phone
Did an odd-looking message arrive from a friend? His or her email was probably breached. If you know the person well enough, contact them. DON’T reply to that email or forward it to a different email address (biz or personal) you have for that person… propagating a potentially dangerous message only increases its chance to infect.
Call or text the person and say you think his or her email address was compromised. Offer to text a screen shot of the message if they are unaware there may be a problem.
Use that thingy called the internet
Does the suspicious email contain an address or phone number? Search the internet for the company’s actual contact details and see if there’s a mismatch.
Also, many phishing attempts come from a generic “finance” or other department. If, however, there is a sender’s name included, search the names of that person and the company in combination. If you don’t find a LinkedIn page for that person, remain highly skeptical.
Contact the company
If still uncertain, call the company and tell the receptionist you received a suspicious email claiming to be from their organization. A company of any size will almost certainly have a fraud department you’ll be connected with right away.
Report it
Earlier, we said not to forward suspicious email but there are a couple of exceptions. Save this email address somewhere handy: reportphishing@apwg.org. This is a collection if ISPs, financial institutions and law enforcement agencies that work together to fight fraudulent messaging.
If you get a tax-related scam specifically, then forward that message to phishing@irs.gov.
Conclusion
Overall, these actions are pretty easy to take, right? It requires very little time and effort to discover with certainty whether a suspicious email is indeed a phishing attempt. Spot it, research it, report it – simple as that!
Confident in your organization’s email defenses, including your team’s ability to spot and avoid malicious messages? If not, contact us for a network security review!
