Skip to main content

Protect Yourself From Sophisticated Email Attacks

Learning Objectives

After completing this unit, you’ll be able to:

  • Define the unique security threats targeting executives.
  • Identify key signs of sophisticated phishing emails.

Why Are Executives a Target?

Executives are often valuable targets for adversaries because they are more likely to hold valuable information, such as confidential company secrets and financial data, and they have more authority, such as access to funds and decision makers. 

For these reasons, attackers are highly interested in targeting executives. They put in time and effort to research their targets in order to better understand their background and behavior. They use the information they gather to launch sophisticated attacks against them or their family, friends, and organizations, through a variety of means. One of the most common and concerning types of attacks is through email. Let’s dig into this.

Using Email to Target Executives

Let’s say you’re an executive and are very busy keeping your organization secure through the decisions you make and your actions day to day. In the course of your everyday business, you trust the contents of the emails you receive and the people you communicate with. Attackers can take advantage of this trust by compromising your email account, impersonating you, spreading malware in your network, or accessing confidential information about you or your customers.

Attackers use phishing emails and websites that look legitimate to trick users into providing personal information. Even savvy executives fall for phishing attacks. Phishing attacks can target both your personal and your business email. Awareness of the types of phishing emails can help you remain vigilant against these attack vectors.

Spear Phishing 

Spear phishing occurs when attackers use a bogus email from an apparently trusted sender to try to trick you into revealing confidential information. The methods are similar to regular phishing, but the attackers target high-value organizations and victims, and gather personal information about them that they use in the attack. Administrative support staff, as well as family and friends, can also be targeted or a source of email compromise through phishing and other types of attacks. 

Whaling

Whaling is similar to spear phishing, occurs when attackers target executives at the C-suite level.

An executive is sitting at her desk examining a whaling email on her computer.

Business Email Compromise

Business email compromise (BEC) is a fraud tactic where threat actors impersonate executives, typically CEOs and chief financial officers (CFOs), to entice company employees into transferring money from corporate accounts to criminals in the form of wire transfers, payroll diversion, or gift cards. The US Federal Bureau of Investigation (FBI) reports that BEC scams have resulted in losses of more than $2 billion USD. In a BEC scam, the attacker impersonates the executive’s email address to compromise an employee. The executive’s name appears as the display name in the email, while the true sender can use a domain name that’s similar enough to trick a busy employee. The fraudster instructs the recipient to make a transfer to a bank account under their control. In doing so, the employee can inadvertently reveal company banking information when making the transfer, which puts the company at risk for additional financial losses. To protect from this type of attack, you and your team should always verify the email sender’s full email address, regardless of what the delivery name says. Your organization can also have technical controls in place to catch these emails before they reach the victim. If you or one of your team members receives a suspicious message, contact your organization’s security team.

Mobile Devices

Mobile devices can be used like email to dupe victims into divulging personal information, clicking malicious links, or downloading malware. An attacker can start the conversation via email and then ask for the victim’s phone number to move to an encrypted texting platform such as Signal or Telegram, where security teams cannot track their actions. 

Malicious Mobile Applications

Malicious mobile applications are mobile applications that compromise the confidentiality, integrity, and availability of your device. Google’s Play Store and Apple’s App Store both vet apps before they make them available, but their systems aren’t perfect. Apps downloaded or purchased from secondary markets offer little to no vetting at all. Malicious apps can masquerade as legitimate apps, but their behavior is similar to malware on a computer: stealing passwords and account information, planting backdoors on your device, recording or making phone calls, or taking screenshots. Even default settings on legitimate apps can have unintended consequences. These settings can collect and send data about you and your device to the app’s creators and third parties, including owner information and global positioning system (GPS) coordinates. They can grant access to the device microphone, camera, photos, calendar, and contacts. Protect yourself by double-checking the permissions on the application and only give applications the permissions they absolutely need to function properly. If an application asks for more information than is necessary, avoid it.

How can you spot a malicious email or text when attackers use such clever techniques? Take the following several steps before opening, replying to, or downloading any content in an email or text you receive.

  • Check the sender carefully. Attackers usually use a variation of legitimate email addresses or phone numbers.
  • Ask yourself if the email makes sense. If something seems off, trust your gut. Check the greeting, ending, writing style, spelling, and grammar. Does this fit the contact’s usual writing style? If the email or text seems suspicious, contact the sender using a known phone number or other trusted channel to verify its authenticity. Don’t trust phone numbers provided in the email, as these may have been spoofed as well.
  • Don’t be fooled by logos or signatures. Attackers can easily copy these.
  • Double-check URLs and attachments. Hover over links and view the full URL before clicking. Think twice before you open attachments, even if sent from a trusted contact.
  • Don’t be scared by urgent emails or texts. Stop and think about your actions.
  • Don’t give up personal data. Most organizations do not ask for personal information over email or text.
  • If in doubt, report the email or text to your organization’s security team. Even if you’ve already been fooled by the email and clicked a malicious link or downloaded an attachment, make sure to still report it to the team so that they can take corrective action and limit further damage.

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. To start over, click Reset.

Great work!

Resources

在 Salesforce 帮助中分享 Trailhead 反馈

我们很想听听您使用 Trailhead 的经验——您现在可以随时从 Salesforce 帮助网站访问新的反馈表单。

了解更多 继续分享反馈