Recognizing Malicious Emails

When someone takes over a legitimate email account and uses that account to send malicious emails, that's called Business Email Compromise. These emails are the hardest to stop and detect because they usually appear to be from someone you know and trust because they are, in fact, from their email account. These accounts get taken over when someone has gotten the login information for the compromised account, they've signed in, and are using that account for their own practices. 

When you receive an email from a compromised account, it usually has a couple clear tell tale signs that it's a fake. Here's how to spot them:

• There's almost always a link
• The link almost always takes you to a page requesting login information
• It seems off and non-typical
• You didn't request it
• Check for bad grammar and spelling errors. Many of these people use a translator app and English isn't their first language

If you've gotten a BEC email, or one that you suspect is a BEC email, what should you do?

1. Verify that it's not legitimate
1. If you get an email from someone that just seems off, use out-of-band communication to contact them. Do NOT email them back and ask "Is this real?" or use the phone number on the signature. If their email is compromised then of course they will say "Of course it's legit," and the signature phone numbers are usually changed as well. 
1. Call the phone number of the person if you have one on file, or call their company's main number
2. Text them, fax them, or email someone else at their office. Use something other than that email address to contact the person. This is what we mean by "out-of-band" communication. 
2. ​Examine links in the file. If it says it goes to a Word document, does the link go to OneDrive or SharePoint? Also, just because it does, doesn't mean you should go there, but that's a good way to tell if it's spam. 
   
1. Here's a great site to see where a link actually goes: https://wheregoes.com/ 
   
2. Find out who else in your company has also received the email and warn them, especially if it's really tricky. Warn your colleagues or contact your IT department about the scam. It just takes one person to give your company a really bad name. 
3. Delete the email. Or if you're feeling like you want to have some fun, email the person back and see how long they'll talk with you. Maybe you can get them to wire you some money :-)

Sometimes the email isn't from someone you know, and they try to convince you to click a link, wire money, or the like anyway. Let's look at some types of these scams, why they happen, and how to respond. These are a different category because these usually are not legitimate accounts, but they appear legitimate. 

A common trick out there is to change the "From" name of an email address. If your boss's name is Jane Smith and their email is jane@company.com, a spammer can change their name to be "Jane Smith" even though their email is jane@anotheremail.com. This is usually a good trick and most people don't pay attention to the whole email address. Here are the tell tale signs of these:

• Check the actual email address
• Eventually they will ask you to send gift cards or some strange financial request (think wiring money)

There's really no limit to the ways scammers will try to blackmail you. My neighbor was scammed by a company she was trying to return something she'd purchased and they said they had to get on her computer and check her bank accounts to verify the purchase... well... that wasn't all they were doing. Here are some common ones:

• I'm a destitute person in [name of third-world country] and I need help
• I have your email and password and I have sensitive information about you i'm going to publish if you don't pay me
• I have naughty pictures of you and I"ll release them if you don't pay me (sometimes this one is along with the one above)
• We could run away together, I just need some money to come visit

This may come as a shock, but you probably aren't that lucky to win the lottery or that car, or whatever else they're selling. Don't fall for it and don't click the links!

Besides the signs of scammers mentioned above, there are usually a lot of other signs you can look for too in scammers emails:

• Poor use of the English language. English is usually not their native tongue and so an easy way to tell a scam is by how they handle the complex language:
• Bad grammar

• Bad spelling
• Weird phrasing
• ​Check for links. It's a good idea to check any link before you click on it. Does it actually go where it should? When it's asking for a login to Microsoft, are you actually on a Microsoft web page?
• This is a great tool to check links: https://wheregoes.com/
  

Sometimes we all make mistakes and sometimes we realize our mistake right after we make it. If you've fallen for a BEC scam here's what you do:

• Don't really need to do anything. You just sent them a message and engaged them. Just delete their future emails to you.

• Reset your password immediately
• Reset any other accounts that use that same password
• Make sure your account isn't forwarding emails to an unknown email account. This is a common tactic if an email has been compromised, then they can map out your organization long-after you've changed your password
• Make sure you don't have an auto-reply you don't recognize

• Disconnect your computer from any network connections (WiFi and/or Ethernet)
• Reset your computer and start over or rollback your computer to a backup before you ran the program
• If you downloaded a file but didn't open it. Delete the program/file and run a virus scan. You may still need to reset your computer, but you may also be fine.

If you made it this far with someone, they're probably after your money and it's a simple scam to that extent. I would do the same thing as the program downloaded and run. 

So, what if we just made some changes that stopped spammers in their tracks and made it much fore difficult to fall for these things in the first place? Here are some ideas that will help you be less impact if you fall for spam, and hopefully make you less likely to get it.

• Use Multi-Factor Authentication for your email account
• Disable Auto-Forwarding in your email account (You have to be an admin to do this, but it's a really good idea)
• Deploy an advanced anti-virus on your computer. This advanced anti-virus should be doing active scanning of any downloads
• Deploy a password manager for you and your team
• Create alerts for emails that are "Faking the From" so people in your company can more easily recognize them