End User’s Guide to a 0

Clean Inbox
14.5 billion spam messages are sent every day in the U.S.

COMMON TYPES INCLUDE:

2.5%

26.5% Financial Scams and Fraud

That’s 45%
36%

Advertising Adult-Related
of all emails sent. 31.7%

! 9 WAYS TO KEEP SPAM

OUT OF YOUR INBOX
1 Junk the Junk:
Delete junk emails before opening them, and disable automatic image download.

2 Use Your Email’s Built-In Spam Filter:

These are included in most popular email services.

3 Choose a “Less-Guessable” Email Address:

Spammers use sophisticated name-generating bots that churn out billions of possible email
address combinations. Beat the robots and choose a complex or unusual email address.

4 Be Cautious When Giving Out Your Email Address:

Do not post your email address on websites or social media profiles.

5 Get a Throwaway Email Address

Use this email when you only need an email address to post a message in a forum or join a group.
There are many free, disposable email address services to choose from.

6 Use Anti-spam and Antivirus Software:

There are many anti-spam protection services for individuals and businesses.

7 Train Your Spam Filter

Flag all spam that makes it through your filter.

8 Unsubscribe from Mailing Lists

Get rid of time wasters and declutter your inbox.

9 Never Reply to a Spammer:

Your reply verifies your email is valid.

© 2019 Infosec. All rights reserved.

COMMON TYPES OF
PHISHING ATTACKS
A CC OUN T V E R I FI CA TI ON

• Appears to come from a well-known company like Netflix and asks

you to sign in and correct an issue with your account
• Link points to a website pretending to be a company’s legitimate site and
asks for your login credentials
• TIP: Do not click any links in the email — directly log in to your account by typing the
address into your web browser. If you are unable to log in, contact the service using
official contact information.

CLOUD FI LE S H A R I N G

• Contains a link to what appears to be a shared file on Google Docs,

Dropbox or another file-sharing site
• Link points to a page pretending to be a file-sharing site and requests you log in
• TIP: Do not click any links in the email. Instead, log in to your account and find the
shared file by name. Remember to verify sender identity and use established
Cloud file sharing services.

DOCUS I G N

• Comes from a domain similar to the DocuSign domain

• Link will prompt you to sign in to view the document, giving
attackers control of your inbox
• TIP: DocuSign never attaches items to email — attachments are likely malicious.
Instead, access documents directly at www.docusign.com.

FA KE I N V OI CE

• Contains a document presented as an unpaid invoice and claims service

will be terminated if invoice is not paid
• Targets individuals (by pretending to be a retailer) or businesses
(by impersonating a vendor or supplier)
• TIP: Do not reply to the email. Contact the vendor/service directly using official
contact information before submitting payment.

DELI V E R Y N OTI FI CA TI ON

• Appears to come from a popular delivery service (FedEx, UPS, etc.) or online
retailer and includes a delivery notification with a malicious link or attachment
• TIP: Do not click links or open attachments in unexpected delivery notifications.
Instead, visit the delivery service's official website and enter the tracking
information, or call the delivery service's official phone number.

T AX SCA M

• Appears to come from a government tax revenue agency (e.g., IRS in the U.S.)
• Claims you are delinquent on your taxes and provides a means to fix the issue before
additional fines or legal actions are pursued
• TIP: Never share personal or financial information via email. Only use official
communication channels to contact revenue agencies.

© 2019 Infosec. All rights reserved.

 SPAM EMAIL OR
PHISHING ATTACK?
Use this guide to determine if unwanted emails in your inbox are phishing attacks or spam.

PHISHING ATTACK SPAM EMAIL

Want your information: credit card Unwanted advertisements for
number, password, bank account, etc. products or services
Often targeted: Sent to a specific Always broad:
individual or group and contains Sent to millions of recipients
relevant information, e.g., your name
Include links to mostly legitimate
Include malicious links to fake websites offering products or services
websites or malware downloads
Does not contain attachments
May contain malicious attachments
Does not require immediate action
Has a sense of urgency
Should be marked as spam and deleted
Should be deleted and reported

Some spam emails (2.3%) are also phishing attacks.

SHARED TRAITS
Unsolicited
You didn’t ask for the email

Harmful
Both either attempt to steal your information or waste your time

Illegitimate
Use techniques like spoofing to make it to your inbox
© 2019 Infosec. All rights reserved.
HOW T O R EC O G N I Z E A

MALICIOUS ATTACHMENT
You received an email with an attachment. Do you download it?
Follow these steps to make a safe decision.

READ WARNINGS

»» If your email service or antivirus software warned the attachment is dangerous, DO NOT DOWNLOAD!
»» Some hackers will "warn" you that you should ignore such alerts. This is a trick!
NEVER IGNORE MALWARE ALERTS

EXAMINE MESSAGE

»» Did it come from a legitimate source?

»» Does the content of the email look normal?
»» Would you expect an attachment from this sender?
»» If you answered NO to any of these, the attachment is likely MALICIOUS

INSPECT FILE EXTENSION

Take a look at the file extension (the part that follows the dot). Be suspicious of the following extensions:

.EXE
»» DO NOT DOWNLOAD! This is an executable file
»» Most email clients block .EXE attachments
.ZIP, .7z, .RAR and other archived files
»» Archiving is a common way to hide malware from antivirus
»» Be extra suspicious of password-protected archives
DOCM, XLSM, PPTM
»» These documents contain MACROS, or scripts hackers often use to run malicious code
UNKNOWN or MISSING EXTENSIONS
»» If you don't recognize the extension DO NOT TRY OPENING THE FILE!

USE CAUTION

»» Even if a file is a simple DOC or PDF document, think twice before opening it
»» If you can, contact the sender using an alternative channel (email or IM) to verify
»» Use your email client Preview feature before downloading
»» Make sure that all software you use for viewing documents has the latest
security patches installed

© 2019 Infosec. All rights reserved.

 9 BEC Attack Red Flags
Business Email Compromise

Jane Doe
to you

2
from: JaneDoe@gmail.com
reply-to: JoePhish263@gma

“Reply to” email address does Vendor payment requests

not match “From” email address from a new email address

JULY

0000
10
00
0
0000
101
0010
0101 3 4
Requests for payment at
Vendor payment requests with new routing the end of the day, or before
numbers and/or account numbers weekends and/or holidays

5
6 MovieFLix
<FlixMove_@gmail.com>
to you
Please update your payment
method immediately.
Click Here

Requests for wire transfers

to a new account Any “urgent” or “confidential”
requests for payment

7 8
$$$
???
Requests for payment
without justification Requests for payment to
a personal account

The best way to stop a BEC attack is to

9 evaluate every request for money or
sensitive data carefully.

Requests for payments

of unusual amounts
© 2019 Infosec. All rights reserved.