Have you received an email like this lately?
Sent: Thursday, January 31, 2019 7:45 AM
To: (Your name and email address)
Subject: Hi (your name)
Hi (your name) are you available? I need you to personally run a task for me ASAP. I'm caught up in meeting all day. Just reply to my email. Let me know if you can get this done for me right now.
Sent from my iPad
The sender does a good job of impersonating someone high enough up in your organization to get you to pay attention. To some, they do a good enough job to get you to buy $2000 worth of fraudulent gift cards, initiate bogus wire transfers, and worse.
Let's take a moment and dissect this bogus message. And let's call it what it is: it's a phishing attack trying to get you to do something you'd regret.
First, using the example below, notice there are 2 parts to the From field:
- The name of the person: in this case, your boss's name
- The reply-to email address of the person: in this case not your boss's real email address
- This first is obvious: they want you to reply and continue carrying out their nefarious plan.
- The second, in responding to their message, you effectively add the bogus address into your contact list (in most cases). This is valuable to them because from this point forward, anytime you write an email to your legit boss, this bogus email address will auto-populate the email field, increasing the likelihood you'll end up sending that correspondence to the criminal, who can then use that information to carry out another attack by impersonating someone trusted by the company using common, friendly language that someone else might fall for. Be sure to remove these addresses from your account!
HOW TO REMOVE AUTOCOMPLETE ADDRESSES
- Be cautious when opening attachments or clicking links in emails. Even our friends' or family members’ accounts could be hacked. Files and links can contain nasty stuff that weakens our security. if you don't know the sender or the sender's company, delete the email. Also, check the sender's actual email address (not just the name that displays). If the email address or domain name is unfamiliar to you, delete the email.
- Do your own typing. If a company or organization you know sends a link or phone number, don’t click. Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.
- Make the call if you’re not sure. Do not respond to any emails that request personal or financial information. Criminals use pressure tactics and prey on fear. If you think a company, friend or family member really does need personal information from you, pick up the phone and call them yourself using the number on their website or in your address book, not the one in the email.
- Turn on Two-Factor Authentication. For accounts that support it, two-factor authentication requires both your password and an additional piece of information to log in to your account. The second piece could be a code sent to your phone or a random number generated by an app or a token. This protects your account even if your password is compromised.
- Keep IT in the loop. If you receive a phishing email (delete it!) or accidentally click on a malicious link, be sure to contact your IT Team (that's us if you are a partner) so we can take whatever action may be required.