MS-ISAC: Phight the phish by learning to identify malicious emails

Key Takeaways

October is Cybersecurity Awareness Month, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) wants to help empower the community with information on how to combat a cyber-attack known as phishing. Phishing is when a cybercriminal sends an email that aims to trick the recipient into providing personal information or into becoming infected with malicious software that can steal such information or cause other forms of damage. The cybercriminal will often purport to be sending this email from a trusted or legitimate source, such as a known business or organization that you may commonly deal with.

Tactics used in phishing attacks commonly aim to lure you into opening attachments, responding with personal information, or clicking links that download malicious software or bring you to a fraudulent form for collecting your information.

Persuasive language and a sense of urgency are common ways that cybercriminals capture attention and accomplish their malicious goals. Common examples include fraudulent shipping notifications, false fraud warnings on your account, requests to verify information on your account, or offers that seem too good to be true. 

Below are a few steps you can take to identify and appropriately react to Phishing emails.

• Check the email address of the sender. Carefully examine if the sender’s email address is correctly spelled, as attackers commonly may use a special character or one-letter spelling mistake to approximate a legitimate looking email address.
• Hover over links to see where they really go. By hovering your cursor over a link, you can see the address it will really take you to rather than simply what the displayed text says. Avoid clicking shortened links, especially when received from untrusted sources, as they cannot be easily examined in this way.
• Avoid opening attachments. Don’t open attachments from untrusted sources and be wary of ones you are not expecting to receive from known contacts.
• Don’t share personal or private information over email. Especially do not provide such information in response to an unsolicited email you received.
• When in doubt, contact the real organization or sender! If you aren’t expecting the email, it asks for personal information or credentials, or it seems suspicious, contact the person or organization through known contact methods. For example, if the email states it is from your bank and they urgently need to speak to you, call them through the customer support line you have used in the past or is publicly listed, not via the method referenced in the email.
• Report phishing emails. Report suspicious emails received at work to your Information Technology (IT) help desk or contact. Emails you receive personally can always be reported to www.ic3.gov.

Additionally, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has created a guide linked below to educate people on how to identify, understand, and safely or securely react to such attacks. The link to other CISA Cybersecurity Awareness Month resources is also below:

• Phishing tip sheet
• Cybersecurity Awareness Month publications
• To learn more about being cyber secure, head to the link below to find the MS-ISAC’s Monthly Cybersecurity Newsletter that has materials on a number of cybersecurity topics. Sign up here