Professor Frank Hartle shares his fundamental principles for defending yourself against email schemers.
Most of us can’t imagine functioning without email or online calendars. We have become so accustomed to communicating and organizing our lives using these tools that we rarely think about clicking links or invitations from people we know or work with. But cybercriminals have begun to exploit this trust to access our computers remotely, steal our information, and infect our devices with ransomware that renders them useless. They use a tactic called “spear phishing,” disguising emails so they seem to come from the recipient’s acquaintances or workplace.
Here are some tips to avoid being a victim of spear phishing:
Don’t fall for impostors. Spear phishing can seem like the real thing. It may include a legitimate email signature or phone number at the end of the message. If in doubt, text or call the person the email is supposedly coming from to make sure it is not an attempt to get you to click a nefarious link.
Take your time. Be suspicious of emails that try to elicit an emotional response with words like “urgent” or “immediate” or requests to email back right away. When an email makes you feel like you must respond right now, instead take some time to confirm that the sender is legitimate. Look carefully at the source.
Almost but not quite. The sender may claim to be from the same company or agency. Some go so far as to imitate IT and HR departments requesting users to click on links or calendar invitations for training sessions. But check the sender’s email domain extension. If you work for TSA.gov, beware of an “interagency” email from TSA.com.
English is hard. Misspellings in the email can be your first line of defense. Some spear phishing attempts will try to mask clumsy language with official-sounding jargon and bogus law citations like “Workplace Survey & Communication Protection Act 22 CR1414.3B and Executive Order 229.”
Look out for links. Spear phishing often puts multiple links in an email to increase the likelihood the recipient will click on one. Report a suspicious email to your IT department immediately, or if it’s your personal email, delete it and label the sender as spam or junk mail.
When receiving an email that looks suspicious, always err on the side of caution. Carefully read, report, and delete. Never click, respond, or download.
Frank Hartle is a professor of criminal justice and director of RMU’s criminal justice programs, including the new M.S. in Cyber Investigation and Intelligence. He is also a coordinator of the RMU Center for Cyber Research and Training and an associate editor for the International Journal of Cyber Research and Education.