Malicious Email

A mali­cious email can look just like it comes from a finan­cial insti­tu­tion, an e‑commerce site, a gov­ern­ment agency or any oth­er ser­vice or business.

It often urges you to act quick­ly, because your account has been com­pro­mised, your order can­not be ful­filled or there is anoth­er urgent mat­ter to address.

If you are unsure whether an email request is legit­i­mate, try to ver­i­fy it with these steps:

  • Con­tact the com­pa­ny direct­ly – using infor­ma­tion pro­vid­ed on an account state­ment, on the company’s offi­cial web­site or on the back of a cred­it card.
  • Search for the com­pa­ny online – but not with infor­ma­tion pro­vid­ed in the email.


Spam is the elec­tron­ic equiv­a­lent of junk mail. The term refers to unso­licit­ed, bulk – and often unwant­ed – email. Here are ways to reduce spam:

  • Enable fil­ters on your email pro­grams: Most inter­net ser­vice providers (ISPs) and email providers offer spam fil­ters; how­ev­er, depend­ing on the lev­el you set, you may end up block­ing emails you want. It’s a good idea to occa­sion­al­ly check your junk fold­er to ensure the fil­ters are work­ing properly.
  • Report spam: Most email clients offer ways to mark an email as spam or report instances of spam. Report­ing spam will also help to pre­vent the mes­sages from being direct­ly deliv­ered to your inbox.
  • Own your online pres­ence: Con­sid­er hid­ing your email address from online pro­files and social net­work­ing sites or only allow­ing cer­tain peo­ple to view your per­son­al information. 


Phish­ing attacks use email or mali­cious web­sites (click­ing on a link) to col­lect per­son­al and finan­cial infor­ma­tion or infect your machine with mal­ware and viruses.

Spear Phishing

Spear phish­ing involves high­ly spe­cial­ized attacks against spe­cif­ic tar­gets or small groups of tar­gets to col­lect infor­ma­tion or gain access to sys­tems. For exam­ple, a cyber­crim­i­nal may launch a spear phish­ing attack against a busi­ness to gain cre­den­tials to access a list of cus­tomers. From that attack, they may launch a phish­ing attack against the cus­tomers of the busi­ness. Since they have gained access to the net­work, the email they send may look even more authen­tic and because the recip­i­ent is already cus­tomer of the busi­ness, the email may more eas­i­ly make it through fil­ters and the recip­i­ent maybe more like­ly to open the email.

The cyber­crim­i­nal can use even more devi­ous social engi­neer­ing efforts such as indi­cat­ing there is an impor­tant tech­ni­cal update or new low­er pric­ing to lure people.

Spam & Phishing on Social Networks

Spam, phish­ing and oth­er scams aren’t lim­it­ed to just email. They’re also preva­lent on social net­work­ing sites. The same rules apply on social net­works: When in doubt, throw it out. This rule applies to links in online ads, sta­tus updates, tweets and oth­er posts. Here are ways to report spam and phish­ing on major social networks:

Tips for Avoiding Being a Victim

  • Don’t reveal per­son­al or finan­cial infor­ma­tion in an email, and do not respond to email solic­i­ta­tions for this infor­ma­tion. This includes fol­low­ing links sent in email.
  • Before send­ing or enter­ing sen­si­tive infor­ma­tion online, check the secu­ri­ty of the web­site.
  • Pay atten­tion to the website’s URL. Mali­cious web­sites may look iden­ti­cal to a legit­i­mate site, but the URL may use a vari­a­tion in spelling or a dif­fer­ent domain (e.g., .com ver­sus .net).
  • If you are unsure whether an email request is legit­i­mate, try to ver­i­fy it by con­tact­ing the com­pa­ny direct­ly. Con­tact the com­pa­ny using infor­ma­tion pro­vid­ed on an account state­ment, not infor­ma­tion pro­vid­ed in an email. Check out the Anti-Phish­ing Work­ing Group (APWG) to learn about known phish­ing attacks and/or report phishing.
  • Keep a clean machine. Keep all soft­ware on inter­net-con­nect­ed devices – includ­ing PCs, smart­phones and tablets – up to date to reduce risk of infec­tion from malware.

What to Do if You Are a Victim

  • Report it to the appro­pri­ate peo­ple with­in the orga­ni­za­tion, includ­ing net­work admin­is­tra­tors. They can be alert for any sus­pi­cious or unusu­al activity.
  • If you believe your finan­cial accounts may be com­pro­mised, con­tact your finan­cial insti­tu­tion imme­di­ate­ly and close the account(s).
  • Watch for any unau­tho­rized charges to your account.
  • Con­sid­er report­ing the attack to your local police depart­ment, and file a report with the Fed­er­al Trade Com­mis­sion or the Inter­net Crime Com­plaint Cen­ter.

Protect Yourself With These STOP. THINK. CONNECT.™ Tips

  • When in doubt, throw it out: Links in email, tweets, posts and online adver­tis­ing are often how cyber­crim­i­nals try to com­pro­mise your infor­ma­tion. If it looks sus­pi­cious, even if you know the source, it’s best to delete or – if appro­pri­ate – mark it as junk.
  • Think before you act: Be wary of com­mu­ni­ca­tions that implores you to act imme­di­ate­ly, offers some­thing that sounds too good to be true or asks for per­son­al information.
  • Make your passphrase a sen­tence: A strong passphrase is a sen­tence that is at least 12 char­ac­ters long. Focus on pos­i­tive sen­tences or phras­es that you like to think about and are easy to remem­ber (for exam­ple, “I love coun­try music.”). On many sites, you can even use spaces!
  • Unique account, unique passphrase: Hav­ing sep­a­rate passphras­es for every account helps to thwart cyber­crim­i­nals. At a min­i­mum, sep­a­rate your work and per­son­al accounts and make sure that your crit­i­cal accounts have the strongest passphrases.
  • Lock down your login: For­ti­fy your online accounts by enabling the strongest authen­ti­ca­tion tools avail­able, such as bio­met­rics, secu­ri­ty keys or a unique one-time code through an app on your mobile device. Your user­names and passphras­es are not enough to pro­tect key accounts like email, bank­ing and social media.

Additional Resources

Orig­i­nal­ly post­ed on Stay Safe Online