5 reasons why you should report — Not reply to — Suspicious emails
Phishing emails are much harder to identify than most people realize. While you may laugh off the obvious ones, like your great grandmother's long-lost brother leaving you an inheritance of 10 million dollars, hackers are getting smarter and much more sophisticated at dressing up their phony emails to come off as the real deal.
Phishing simulations & training
Such emails can trick even the savviest of web users.
Adversaries spew millions of emails to targeted lists that include both invalid and valid email addresses. Any answer or reply back (even an out-of-office message) tells them your email address is active, making it even more prized. But that's not the only reason to report suspicious emails without replying. Examined in detail below are five more reasons why you should never respond and always report any suspicious emails in your inbox.
1. A reply may leak your personal information
Each email includes a header that determines the email subject, sender and other attributes. However, few people know that the header also reveals the location of the route taken by the email, server by server. That means the recipient can follow the list back from the point of origination in order to locate the server from which the email was first transmitted. Also, the recipient can use geolocation to get clues about the server's location. Therefore, responding to a suspicious email may leak details about your location, from which the adversary can enter into a
people search tool, along with your name, to get your phone number and home address.
2. Your account can be H=hacked
Responding to malicious emails could get your account hacked if the reply includes a detail or two about your personally identifiable information. For instance, some people include their full name and personal signature in the email footer, and others mention the name of their business/employer as well as the corporate URL. With access to such details, a cyber criminal could possibly have an easier time guessing your password. The chances of this are much greater if your password includes any of your personally identifiable information. Hence, it's best to report and delete any kind of messages that seem too good to be true.
3. The fraudster can trick you into sharing corporate data
A lot of people fall victim to email-driven scams in which the sender pretends to be a representative/partner of the company where the recipient is currently employed at. For instance, you could receive an email from an individual or business claiming to be the official sponsor of your company's corporate social responsibility activities. The adversary will then try his or her best to make the email message look legitimate enough and request confidential data such as a bank account number to transfer funds, or even the phone number of the CEO to discuss arrangements. These are the types of emails to avoid, report and delete.
4. That response could help adversaries design more sophisticated attacks
Scammers can copy the style/format of your response and create phishing emails based on that. This is how BEC (business email compromise) attacks are executed. The adversary first gets in touch with someone close to the victim (such as his/her coworker) and sends out casual emails (such as a general inquiry) to get a response. This tactic helps the fraudster get familiar with the business lingo. The learning is then integrated into phishing emails that are used to trick personnel into conducting illicit wire transfers or sharing corporate data. Thus, if you receive an email from your coworker saying they'd loved to know your thoughts on a particular project, do a cross-check by requesting an in-person meeting without clicking the reply button.
5. Your reply can be held for ransom
If your response includes confidential information such as the W-2 form data, the hacker can blackmail you by stating he/she will sell the information in the underground market unless you pay a ransom. While there's no way to guarantee that the hacker would delete sensitive information about the company you're employed at once a ransom is paid, a lot of people fall prey to these types of ransomware schemes. The default action should be cross-checking emails that request W-2 form data and reporting fraudulent ones to the anti-spam/anti-fraud legislation of the country you reside in. But even a reply back that contains non-confidential information can still lead to a future ransomware attack. As mentioned before, the style and the way the recipient composes their email messages can give behavioral clues to the cyber attacker, provided that they are also sophisticated enough in using covert, psychological techniques. Once the attacker engages the recipient into further dialogue after a few email exchanges (and builds a trusted relationship with them), he or she can then engage in a social-engineering style attack in order to obtain sensitive and/or private corporate information.
Reporting suspicious emails
If you are based in the United States, any suspicious emails should be reported immediately to the FTC. The email address is spam@uce.gov. You need to include the entire spam email, the name of your email provider and state that you've been spammed at the top of the message.
If you're from Canada, you can get in touch with the Better Business Bureau for corporate claims and forward other types of spam to the Spam Reporting Centre.
In Europe, each country has different agencies victims can contact. For instance, UK-based recipients can report fraudulent emails to the Information Commissioner's Office. In Germany, suspicious emails can be shared with the
German Association for Voluntary Self-Regulation of Digital Media Service Providers. For nations without fraud investigation legislations, residents should visit the national police force site for more details.
Apart from reporting it to the official legislation, recipients should immediately forward phishing messages to the organization being misrepresented by the sender of the email. In this is regard, it is important to provide as much detail as possible to the organization you report the email to.
Also, recipients can inform the scammers' respective email providers or ISPs about fraudulent use of their services. They take any reports of suspicious emails coming from their servers very seriously. You can find the contact details of each provider on their official website.
Finally, all employees should be trained to report suspicious emails to the IT department. A security awareness training program, paired with an email reporting tool like PhishNotify™, will teach employees how to detect — and report — email fraud.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Final thoughts
Responding to malicious emails gives attackers an opportunity to mark your email as active and gain more information about you. To safeguard your identity, don't reply to suspicious emails and always report them.
In this Series
- 5 reasons why you should report — Not reply to — Suspicious emails
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
