Q: I have a small brokerage firm and we are getting more and more suspicious email. How can I tell if an email is legit or not? How can I prevent my employees from getting duped? Can this cause harm to my business’s computers or damage data?
A: Over 90% of data breaches are caused by malicious emails targeting employees or executives. There are entire criminal organizations who are devoted to researching high value targets such as CEOs, CFOs, brokers, and employees. They will watch your social media posts, sneak into your network and watch the email conversations and routines – and then impersonate someone you trust. It is very important to stop them at the front door by learning what to look for and staying aware of tactics as they evolve.
There are several ways to tell if an email is legitimate or not, which require you to pay close attention to often overlooked details.
1) Is the email from someone you expected it from? In other words, is this a normal type of email from someone your regularly get email from? It is OK to question it and chances are, if it looks a bit “off” or weird, it is. When in doubt, throw it out.
2) Was the email generated during normal business hours? If not, treat it as suspicious.
3) Does it ask you to click on a link or open an attachment? If so, hover over the link without opening it to see if it is coming from the same place it is supposedly being sent from. As an example, the email might appear to come from a bank or other brokerage firm yet when hovering over the link, it does not mention the bank or firm and has some trumped up domain or address. The likelihood of this being a dangerous link is high.
4) Does the email have transposed letters or typos in the “from” address, subject line, message or links? Read carefully.
Stu Sjouwerman, CEO of KnowBe4 and author of Cyberheist offers the following tips:
When in doubt, throw it out. You can always call the sender to verify the email was sent from them, especially where wire instructions or financial information is concerned. Emails can easily be faked as coming from a known address (this is called spoofing).
Don’t open any links or attachments you did not ask for. It is much easier to have an Information Technology (IT) pro check it for you than to lose money or confidential personal information. But the best insurance is to enroll your employees in Security Awareness Training. A good program will also test employees frequently using simulated phishing attacks to keep them on their toes. For more tips and information, visit www.knowbe4.com.