Scam E-mails

Essential Information for Users

Introduction and Overview

Scam e-mails are a scourge. Even if it's unlikely your users will fall for one and cost your company money, time is wasted when they are received, especially when users contact IT support, as they often should, to confirm there is no actual compromise of your system.

Modern best practices call for user awareness training, which often includes videos or interactive courseware with too much detail about how the user can identify a scam. This is problematic because this approach implies, or even explicitly advises, that users can open an unexpected e-mail once the user has determined it's not a scam, which is the inverse of what should be done.

What to do

All users should follow this rule for any e-mail or text message received with an attachment or a link.

Never open an attachment or click on a link unless you:

  1. Know exactly what the attachment or link is, and
  2. You were expecting it.

If you can't answer "yes" to both of the above, then delete the message.

Notice the rule says nothing about whether you know the person who sent it to you. This is because some scam messages are forged to appear as if they came from someone you know, such as your boss or your IT department. And it's possible a message with a dangerous attachment actually did come from someone you know, if that person was a victim of an account takeover or malicious software. Others even show that they came from your own e-mail address.

The Reasons

When receiving an unexpected attachment or link, users should not examine the e-mail and, after applying all the technical knowledge they may have gained from anti-scam training, go ahead and open it if they think it's likely not a scam. This is a recipe for disaster. But because of curiosity and a fear of missing something important, people often lose discipline and talk themselves into opening it.

But even if you believe you know exactly what the attachment is, scammers can send files that look like something legitimate, such as an invoice in PDF format, but are actually malicious and damaging. Or it could be a link that seems to take you to your Dropbox account, so you can go ahead and sign in, but it's actually a well-designed impostor site. So this is why even if you think the attachment or link is real and something you might want to see, you still shouldn't open it if you weren't expecting it, as a final safety against misidentifying something as safe when it's not.

It's extremely unlikely that you will ever get an attachment you were supposed to open that you weren't expecting, or can't confirm by a phone call to the sender. And if this ever happens, when you properly delete it, the sender will almost certainly follow up, in which case you will learn what had been sent to you and why, and you can then open it once you receive it again, in keeping with our rule. The potential cost for a delay responding to a legitimate message is far outweighed by the damage that will be done if users don't strictly follow the above rule.

What scam e-mails do

Criminals send e-mails with attachments or links in order to steal your password to your e-mail account or bank. The attachment or link will often bring you to a fake website designed to look like the login page for Microsoft or Google (e-mail providers for millions), a bank, your social media account, etc. If you type in your password, the fake website captures it, and the criminals can then use it to log in to your bank and take your money, or send messages from your e-mail account trying to trap more people. If that happens, then people in your contacts list, if they were incorrectly trained with the common adage that you shouldn't open attachments from people you don't know, will open dangerous attachments because they will have correctly confirmed the e-mail actually came from your account.

What if you make a mistake?

If you open an attachment or link and realize afterwards you should not have, in many cases there will be no problem. If you have quality endpoint protection software, then likely an executable attachment will not cause harm. If you opened something that brought up a login page, then if you didn't type your password, the criminals won't gain access. Even if you did type your password, if you have multi-factor authentication set up and you only realized something was wrong when you got the approval prompt unexpectedly on your phone (since you're using a trusted computer), then if you disapproved the login, the criminal will not have gotten in.

Yet, all of these actions could potentially cause harm. For example, your endpoint protection software might fail, allowing malicious software to run. Opening an impostor web page, even if you didn't type a password, might install extensions in your browser that cause hassle or a security breach. And while multi-factor authentication will protect you from immediate compromise should you unthinkingly type your password into an impostor's site, once the criminals have your password, you can bet they'll set about using alternate methods to get past needing you to approve sign-in from your phone.

So in the event you open an attachment or link that you weren't expecting or you didn't know what it is, contact IT support as soon as possible, to inspect your computer and your accounts for any damage that may have been done or for indicators someone else has gained unauthorized access. Criminals can cause many problems almost instantaneously by using automated systems, so time is of the essence. You should at the same time get on another device and change the password to any accounts for which you may have entered your password into an impostor website.

Demands for Ransom

Some scam messages don't contain an attachment or link, but instead declare that your website was taken over and your database stolen, or your e-mail account was broken into, and the criminal will harm your business or personal reputation if you don't make a payment. Instructions on how to pay the ransom through untraceable crypto-currency will be included in the body of the message.

It is of course much easier for a criminal to send a message falsely claiming you're compromised, hoping you won't know any better, than to actually steal your data. Forward such messages to your IT department, though, so they may confirm no compromise, and more generally track the potential of targeted social engineering campaigns against your company so that management may be advised.

Checking for Compromise

As mentioned, scam e-mails may appear to come from someone in your own company (or even yourself), including those with malicious attachments/links, or demands for ransom. Or, sometimes business partners may tell you they are receiving scam e-mails apparently from your address. In these cases, contact your IT support, so that system logs and your mailbox configuration can be checked. If you have the original of a message that appears to come from your boss or yourself, forward the entire e-mail as an attachment to your IT support provider when requested. Very often the information needed to confirm whether your or your boss's accounts are compromised will be found in the hidden headers of the impostor's message, which are not included if you forward the message in the normal fashion. Click here for more information on forwarding an e-mail as an attachment.

If it is determined a criminal had logged in to your mailbox or that of someone at your company, your IT support will assist with remediating damage done and removing access, and company management should be notified so that they may take mitigating actions as required by the situation and your company's information security policy. Despite any embarrassment you might feel if the compromise was due to your mistake, do not try to hide it, as this could make the situation far worse.

If the criminal sent the message from his own account and simply forged the "From" header, this still presents a potential nuisance to your operations and reputation. Click here for information on how to limit the success for forged messages appearing to come from your company.