I've gotten two direct emails from our CEO since I joined Avast in mid-June, and one of them was a phishing email. That's a 50% scam attempt rate right there.
Here are the two emails I've gotten:
- One email was framed as a personal note from our CEO, asking for my phone number so he could call and ask me a couple of questions. There were no links or attachments on the email.
- The other email was framed as a company announcement, and talked about fair business practices, code of conduct, and ethics. There was a PDF attached to the email, and some links within the body text.
In both cases, I applied additional scrutiny prior to taking an action. In both cases, I quickly determined the good email from the bad.
I'm sure there are arguments both ways as to which one was the scam and which one was legit. There are risk factors in both emails. I myself wasn't sure until I spent 30 seconds looking at each. This story, however, does highlight why the CEO's name can be so powerful when it appears in your mailbox.
There is a slight thrill in getting an email from the leader of your business, especially if you don't get to intersect with them often. Initial reactions tend towards the helpful, wanting to get your executive whatever they need as quickly as possible.
Which brings me back to the two emails I've gotten. I had this same brief moment of thrill, but in both cases I knew to apply additional scrutiny.
Whenever I get a direct email from one of the company leaders, I ask myself the same four questions:
- Do I usually get direct email requests or communications like this from this person?
- Is the information or work they're asking for something I usually do as part of my day to day responsibilities?
- Are they asking me to share company IP (phone numbers, account logins, company bank data) via email?
- Are there multiple links and/or attachments on the email?
In both cases, the emails turned on my "Check Fraud" light.
Neither email spoke specifically to my primary job responsibilities. In one of the emails, there was a request for my business phone number.
Also, my CEO doesn't generally ask me for anything via direct email, and does not generally send company-wide communications in this manner. We do hear from the Executive Leadership Team in lots of different ways, mind you, I just hadn't seen this method before.
In a nutshell, two or more of the questions triggered my personal fraud alarm to come on, for both emails. Time to take a closer look!
Here's a simple method to use when it comes time to apply additional scrutiny. It worked in this case and has kept me out of all kinds of phishing trouble:
- I opened the email
- I right clicked the email address and clicked to look at the contact card
- I looked at the sender email address to verify if it was a company account
In one of the emails, the sender address was from my company domain, and followed the email address pattern at my company.
In the other, the sender address was <randomstringofcharacters at randomdomain.io>
Can you guess which email was the scam and which was not? If you showed this blog post to your company employees, would they know?
The answer to the first question is simple. It doesn't matter which was the scam, because it really could have been either. It's what I did next that matters most.
The second question is more sticky. As a former help-desk person, I saw a very wide range of tech sleuthing skills among my colleagues. Some of them would be able to spot the scam, and some wouldn't.
As part of Cybersecurity Awareness Month, we want to make sure and help you protect your company assets, especially if you have non-technical staff who might fall for a phishing attempt. Take a look at our easy-to-read phishing infographic and send it out to everyone in your company. No registration needed to download. We just want to help you protect your work family!