Modern day internet is absolutely fright with danger, especially when it comes to email. By far the most common attack is called phishing. Phishing is in attack where the perpetrator contacts the victim pretending to be someone else and asks either for sensitive information, such as usernames and passwords, credit card and other account numbers, social security numbers, or to download malignant software.
According to research by Google, 45% of phishing attacks in 2015 were successful. According to a separate research by MacAfee Labs, the McAfee Labs Threats Report: August 2014, 80% of business users were unable to identify at least of one of the seven most common phishing emails. These are very scary numbers that showcase two primary challenges in protecting companies from being hacked: implementing policy based controls and ensuring proper end-user training. This article covers some of the things end-users can do to ensure they do not provide sensitive information to the wrong people.
In most cases the really bad spam messages at first pass (and sometimes at second and at third) appear to be from a legitimate sender, such as another employee or a client or a vendor. Here are some of the telltale signs that you are being scammed/spammed/phished
What are you asked to do?
a) Are you being asked to provide sensitive information via email?
No one from a legitimate organization will ask you to email them confidential information in the email itself, such as your account number, SSN, etc.
b) Are you being directed to a website to fill out a form with this information?
– Check the website’s primary URL. Any major US based company is going to direct you to
• A secure website (starts with https://)
• The website address will contain a verification tag from a certification authority, e.g.
Are being asked to fill out a form or open a file
– DO NOT. Contact the person or the organization the email purports to be from and review the email and its content with them.
– When contacting them, do not use any of the numbers in the e-mail. Use a known number for the organization, such as the banks phone number on the back of your credit card, the helpdesk phone number the employer provides you with, or the client/vendor contact information you have in your contact list/rolodex
Check the send from address
Message headers contain details about the message, including the correct sender’s information, the recipient’s information and the servers that handled the transmission among other things. IT IS EXTREMELY DIFFICULT TO FORGE THIS INFORMATION.
Checking the headers is done to complete the identification process. It is our recommendation that this is done when dealing with messages requesting a financial transaction to be performed, such as a wire transfer.
A message header usually looks something like this: