AbleToTrain von Willing & Able

Email safety

As mail server administrators, we may have extensive knowledge of how to use email safely, but what about end users? They do everything they can to block spam and malware, but without educating users, if one of them clicks on a link in a spam message, the network can become vulnerable. Consider these recent cases that could have been avoided if the user had the appropriate information to identify phishing scams and other threats.

CEO scams (scams where an attacker impersonates a boss or CEO to send someone money to a scammer) and W2 phishing (scams where a scammer impersonates a boss to access a tax form to retain an employee) Combined with new and more widespread attacks. The malware development team, known as

The Dukes, may have been responsible for targeting think tanks and NGOs with multiple spear phishing attacks. These attacks are said to have come from people at Transparency International, the Center for a New American Security (CNAS), the International Institute for Strategic Studies (IISS), the Eurasia Group, and the Council on Foreign Relations (CFR). In addition to these spear phishing attacks, other attacks included targeted spam email blasting, including Word or Excel documents. Recipients are instructed to enable macros that allow hackers to automatically download and execute malicious code.

Toy maker Mattel was hit by a phishing email requesting payment from a new supplier to China. Her CFO received a phishing email claiming to be from her new CEO. The standard protocol required two senior officials to approve these types of transactions. Both the CFO and CEO are qualified as high-ranking officials, and she approved her transaction and sent over $3 million to Wenzhou Bank in China. Learn more about this story here.

These are just a few of the many other notable incidents that users could have prevented if they were better informed about email security.

Email security is not the sole responsibility of your email provider or administrator. It’s everyone’s responsibility. The following is a list of security tips that all mail server administrators should share with their users to minimize spam and malware.

  • Change your password frequently.

  • Use a strong password.

  • Never use a password that contains too generic words.

  • Use a different password for each account. Using the same password for your bank account as your email account makes you much more vulnerable to data theft.

  • Do not open attachments unless you understand and expect them from.

  • Be aware of email messages asking you to enable macros before downloading Word or Excel attachments.

  • Use antivirus software on your local computer to make sure you are up to date with the latest virus definitions.

  • If you receive an attachment from someone you don`t know, don’t open it. Delete it immediately. Learn how to recognize phishing

  • Messages that contain threats to shut your account down

  • Requests for personal information such as passwords or Social Security numbers

  • Words like “Urgent” false sense of urgency

  • Forged email addresses

  • Poor writing or bad grammar

  • Hover your mouse over links before you click on them to see if the URL looks legitimate. Instead of clicking on links, open a new browser and manually type in the address.

  • Don’t give your email address to sites you don’t trust. Please do not post your email address on public websites or forums.

  • Spammers often scan these sites for email addresses.

  • Do not click the “Unsubscribe” link in spam emails. It only informs spammers that your address is legitimate, which can result in you receiving more spam.

  • Understand that reputable businesses never request personal information by email. Please do not send personal information in email messages.

  • Please do not reply to spam.

  • Keep in mind that when replying to spam emails, the reply is unlikely to return to the original spammer, as the FROM header of the spam message is likely to be forged.

  • Do not share your password.

  • Be sure to log out.