When I run my security awareness training sessions, I always reinforce that the best spam filter is the email recipient. If an email has overt security issues – an attachment with a virus, a malicious link – anti spam software is getting better and better at working as advertised and avoiding false positives. However, a lot of spam email is of the phishing variety, and spammers will often find ways around those automated anti spam solutions.
The best approach is for the recipient to treat every email as malicious until it proves itself legitimate. With this approach, every user will be a master at spotting phishing, spear-phishing, or whaling emails in no time!
- Is the email from a trusted sender with whom I ordinarily communicate?
- Did I receive the email on a date and time I would normally receive communication?
- Is the subject something that’s relevant or does it not match the content?
- Are there unexpected attachments to the email?
- Are there hyperlinks to web sites directing you to unknown addresses?
- Is the content out of the ordinary, seem odd, add a sense of urgency to act without second thought?
Most importantly, never give up login credentials or change financial settings (i.e. invoice payment routing instructions) per an email. If you need to provide either, call the sender and speak to a person you know and verify the request is real. Most legitimate requests for either won’t happen over email, so be cautious.
With these easy steps in mind, your healthy dose of skepticism will be your best defense!