Published 2023-05-17 by TechNet New England
Despite all the advances in cybersecurity technology, email remains the primary way attackers get into business networks. Over 90% of cyberattacks start with an email. That makes every employee with an inbox part of your security team.
Before You Click Anything
Check the Sender
Look at the actual email address, not just the display name. A display name can say "Microsoft Support" while the email comes from a completely unrelated domain. Hover over the sender's name to see the full address.
Look for Red Flags
- Urgency or threats ("Your account will be suspended immediately")
- Unexpected attachments or links
- Requests for passwords, payment information, or personal data
- Generic greetings ("Dear Customer") instead of your name
- Slight misspellings in domain names (microsft.com, amazom.com)
Hover Before You Click
Before clicking any link, hover your mouse over it to see the actual URL. If the link text says "Microsoft" but the URL points somewhere else, it is a phishing attempt.
Business Email Compromise
The most financially damaging email attacks do not use malware at all. Business email compromise (BEC) attacks impersonate executives or vendors to trick employees into making wire transfers or changing payment information. Protect against BEC by:
- Establishing verification procedures for any financial transaction requested by email
- Confirming payment changes via phone call to a known number
- Being especially cautious of urgency ("This needs to be done today")
- Having dual authorization for significant financial transactions
When You Receive a Suspicious Email
- Do not click any links or open any attachments
- Do not reply to the email
- Report it to your IT team or IT provider
- Delete the email (or move it to junk)
- If you already clicked something, report it immediately and change your password
Want to set up phishing simulations and security training for your team? Contact TechNet New England.