Email Safety Series: Verification
We’ve spent the last several weeks looking at all the steps involved in Email Safety. We’ve talked scammer goals, finding out who actually sent an email, determining if an email is expected or unexpected, and identifying valuable information requests. And today, we’ve come to the final step in our Email Safety series, verification.
Let’s go back to our CyberBank example from part one of this series. Remember, you came across an email that appears to be from your bank. It says there has been a large debit from your account and to click the link to view or verify the payment. You know that no large payment was scheduled and you think it may be a phishing email, but you feel uneasy just the same. You want to be absolutely sure there has not been fraud on your account. Should you click to verify? Absolutely not. What about that urgent email your boss sent requesting everyone’s W-2s in part four? Should you reply to confirm that’s what she really wants? Again, no way.
When we talk about verification, we mean confirmation of a request that is totally independent of the suspicious message. This means we do not click any “verification” links, reply to the “boss,” or use any contact information in the email to authenticate the request.
If the CyberBank email is a phishing attempt, links in the email would go to a fake website that might steal your login information or infect your computer with malware. Similarly, a reply to the email requesting W-2 information wouldn’t go to your boss, but a scammer posing as your boss who would only try to scam you further. And any phone number in a suspicious email would put you in contact with the scammer.
When you receive a suspicious email that contains a link, attachment, or request for valuable information, verify before you supply. If the email is from CyberBank, find the customer service phone number on the back of the card and give them a call. If it’s a message from your boss, dial via her extension or previously saved contact. If it’s a vendor, check an old vendor invoice or web search the company’s phone number.
When money is being disbursed, consider putting controls in place. Two sign-offs (where two separate individuals must approve the transaction) or verification phone calls are options that can protect your organization from fraud. Spreading awareness about scams that take advantage of quick turnaround requests or boss-employee dynamics can also help. Remember that any request asking to circumvent the process is a giant red flag (and not just of a potential scam).
Does your organization have a verification process? If you don’t know, now is a good time to bring it up with your supervisor.