I received an email at work today. It came from a real person, from a real person’s email address, but there was a PDF attachment I hadn’t asked for, the receiving addresses were all BCC’ed, and there was one subtle typo in the body of the text. I looked up this person’s phone number, and called to ask about this. You can guess the result.
Someone had compromised this person’s email and had bulk sent this poisonous bit of malicious code to their whole contact list.
Now, we all know what to look for when it comes to phishing/spam/attacks in email. Look at the sending address – is it someone you know? Does it match the name? Look at the subject line – does it make sense? Look at the body of the message – are there typos? Is it vague? Does it reference something you think you should know about, but don’t? Look at the attachments – did you ask for them? Look at the time stamp – was it sent at an odd time?
Now, because of recent experience, I know to call the person directly. Sending a “did you send this?” to a compromised email doesn’t do any good, as the attacker can now impersonate the original sender to confirm, of course, this is that thing we talked about recently, right?
And that’s only one part of the attack on email. Have you ever gotten a newsletter by email that you’re sure you didn’t subscribe to, and absentmindedly clicked that “unsubscribe” link? Keep your eyes peeled for that one.
So okay, we all know the signs, and we’re getting better about catching ourselves before we blindly infect our machines with malevolent sneakware. But what does this mean for legitimate communications?
If I, as a business, want to send links or PDFs or some other legitimate business collateral out via email, I have to wonder just how many people are becoming accustomed to trashing everything they don’t immediately recognise. In a world where emails can be fully compromised, every link can infect your whole organization, and no one trusts their email, how do you communicate effectively?
Let’s say I complete a report, or want to run a survey, or share an article I’ve written. How can I become a trusted source, knowing that someone, at some given time in the future, might try to compromise my systems and take advantage of my good name?
Do we need to encourage people to look up the legitimate sources on their own? Do my emails now read “please complete this survey by going to my website – but I won’t provide you with a link, you’ll have to find it yourself”? Do I encourage everyone to call me in person before they open any attachments from me? Do I include a line in my signature that says “I do not send unsolicited files or links”?
Email has been an integral part of corporate communications for as long as it’s been commercially and readily available – but have we come to a place where we simply can’t trust it anymore?