When I look back at my favorite blog posts, one sticks out in my mind: The Unexpected E-mail Needs More Scrutiny. Ideally, everyone is looking at every email in their inbox with some level of scrutiny. Even more so when the email asks them to open an attachment, visit a website, or reply/call. After all, these requests are the basis for phishing—leading you to take an action that isn’t in your best interest. Some phishing emails direct you to a fake website where your login or personal information is stolen. Others include an attachment that’s hiding malware, and some just want you to respond with personal information.

It can be hard to convince someone to examine every email in their inbox. It can feel understandably overwhelming. In the post, we lay out scenarios that really and truly require scrutiny: unexpected emails. Unexpected emails have a narrow definition. Unless your actions generated an email or the email comes with regularity, it’s unexpected. Period.

You ordered something from Amazon. Days later, you receive a notice that your order is delayed. Expected or unexpected? Although COVID-19 has caused supply chain disruptions, you probably expected a shipping notification, not a delayed shipping notification. In this situation, you should pause and verify before clicking links, viewing attachments, or replying/calling as requested.

Expected emails are those that you signed up for or generated with an action. You email a coworker, you get a reply. You order something online, you immediately get a receipt. You signed up for a daily newsletter, it comes at the same time every day, appearing in the same fashion. You can confidently interact with expected emails.

Examining Domains

In our post Digital Literacy around Email Addresses, we lay out how to examine email addresses. If you receive an unexpected email from a sender address that isn’t familiar, it’s likely spam. Spam is unwanted, but harmless, email. However if the sender is posing as someone you know or a company you recognize, it’s almost certainly a phishing attempt or other scam.

Examining email addresses requires some technical knowledge, so let’s take a closer look. Email addresses are set up as [mailbox] @ [internet property]. The internet property piece is the tricky part. Without knowing how internet properties are structured, you may fall for a lookalike domain. For example, irs.gov is not the same as irs-gov . com. If you’re getting emails from someone @ irs-gov . com, watch out. You’re being scammed. (We’ve added spaces to fake domains so that they don’t become active links.)

The consequences of falling for a phishing scam can include loss of money, identity theft, and malware on your computer. It can lead to reputational damage for your organization. If you are faced with a questionable, unexpected email, seek a second opinion from your IT Help Desk. If you work in IT, be proactive by addressing email safety and phishing before it happens (it will happen!). Email safety in the time of increased virtual work is paramount. Here’s a guide you can distribute to your workforce: https://teachme.cybersafeworkforce.com/Email_Safety_Series2020.pdf