With any email message you receive, you should examine it for legitimacy and context. Many messages are easy to pass this test – email from a colleague pertaining to legitimate business activity, replies to or forwarding of an existing conversation. Others are easy to fail the test – an email from an unknown sender with grammar mistakes and just an attachment or web link. Others are harder to determine quickly – an email from a friend/colleague that you correspond with regularly, containing only a link or attachment. Some cybercrime perpetrators go to great lengths to make their malicious emails look legitimate to lull the recipient into a false sense of security.

If you have any questions about a message, it is always safest to stop and verify. Email or call the (purported) sender or have your IT department assess the message. If, at any point, you have a suspicion that you have opened a malicious email or attachment, it is always best to stop what you are doing, take your computer offline (disconnect from wireless/unplug from the network, or turn it off), and consult your IT department for assessment. If you become aware that a virus is spreading by sending infected email from your account, it is helpful to email your entire contacts list/address book as soon as possible to make them aware of the problem, and to advise them to not open any other emails from your address until further notice.

Assessing an email for safety requires examining each of the key parts of the message: sender, recipients, subject, body, and attachments. Key clues to a potentially unsafe message can be held in any of these parts. Some messages have clear signs; others may require aggregating minor questions across various parts to determine whether it’s appropriate to verify the message, or discard it entirely.

Sender: Most messages come from an individual sender; others may come from a generic address from an organization. The first key factor is whether you know the sender – is it someone you have corresponded with before, an organization you deal with, or an individual/organization that you would expect to receive correspondence from. You should be able to see more than just the name of the sender, either clearly listed, or by clicking on the name in the header. Check to make sure that the sender’s address matches what you would expect it to be: an email from Suzie Jones should not come from an email address of ajerzssyz123@; an email claiming to be from Bank of America should not be coming from an info@bankamerica.co.ru. Sometimes recognizing the sender is a false negative. Many viruses propagate by accessing the infected user’s email contacts and sending infected messages to each of them, which is why it is important to assess the entire message.

Recipients: Generally you should see your name/email address in the list of recipients. Some messages use blind carbon copy (BCC) to mask recipients, either as a security measure to prevent harvesting of email addresses, or for privacy to prevent recipients from seeing who was on the distribution. For messages with other recipients, check to see if the others seem legitimate. Red flags include seemingly random recipients, recipients in your organization that you are unfamiliar with, or recipients in your organization that you know have long since left the organization.

Subject: It is best practice to include a subject with all messages. A concise subject allows the recipient to get an idea of what the email is about, and allows them to triage messages according to importance. Subject red flags include no subject, grammar/spelling mistakes, a lack of context (when compared to the body), sensational/leading verbiage (Open this immediately; Check this out).

Body: The body of an email has the greatest amount of information from which to identify red flags. Like the subject, the body generally should not be left blank. Grammar/spelling errors or lack of context are also key red flags. A body only containing a web link is a major red flag. If you hover over the link in an email you should see a popup that reveals the actual web address you will be sent to if you click it. Check to make sure that the link is sending you to a safe location. For emails coming from organizations, such as banks, you can generally access the same information or site by going, manually, to the organization’s website. Instead of clicking the link to the purported Bank of America support site, manually browse to their website and search for the information. Be cautious if any message asks you to “click here to verify your account”, particularly if it is unexpected. Many sites, particularly banking/credit card sites, have dedicated email addresses that you can forward a suspicious email to. Using Bank of America as an example again, you can forward a suspicious email to abuse@bankofamerica.com; they will assess the validity of the message and respond to you with their determination.

Attachments: All email systems should have anti-virus programs that scan messages for known viruses, and your computer should also be running current anti-virus and anti-malware software to scan data as it arrives or is run on your computer. Unfortunately, anti-virus software is reactionary; it is only able to detect and take action on known viruses. New viruses, and new versions of existing viruses, are found every day. It can take a day or more for your antivirus program to update its database to allow it to detect these new virus definitions, but it will never be able to detect something that is not in the database. Furthermore, software limitations can prevent antivirus software from scanning inside ZIP files, which may have malicious/infected files inside. Be critical of any non-standard file attachments; in most circumstances, attachments will be standard Microsoft Office documents, PDFs, and images. For any attachment that you feel initially secure enough to open, save it to your hard drive (outside of the email), then manually scan it for viruses according to the procedure for your antivirus program. It’s important to note that different viruses have different symptoms. They can slow your machine down, generate popups on your screen, or send out emails to replicate the virus. Others lurk in the background indefinitely, with no appreciable impact on your computing activity, logging your keystrokes and activity, and sending them off for further malicious activity. Just because nothing catastrophic happened when you clicked on a link or opened an attachment, don’t assume that you’re in the clear.

In closure, nobody is invincible; anybody can get a virus or suffer a data compromise, and it is not a sign of lack of intelligence or shameful. The key is to be educated on evolving best practices, how to identify suspicious content or activity, and taking appropriate action to mitigate an issue quickly. An ounce of prevention is worth a pound of cure. “Wasting” a few minutes verifying is less costly than blindly trusting or ignoring warning signs, then suffering the consequences of getting a virus or compromising data.










Brian Linden
IT Manager
Melanson Heath