Phishing emails are much harder to identify than most people realize. While you may laugh off the obvious ones, like your great grandmother’s long-lost brother leaving you an inheritance of 10 million dollars, hackers are getting smarter and much more sophisticated at dressing up their phony emails to come off as the real deal.

Consider this example:

Image source: Opus Bank

Such emails can trick even the savviest of web users.

Adversaries
spew millions of emails to targeted lists that include both invalid and valid email addresses. Any answer or reply back (even an out-of-office message) tells them your email address is active, making it even more prized. But that’s not the only reason to report suspicious emails without replying. Examined in detail below are five more reasons why you should never respond and always report any suspicious emails in your inbox.

1. A Reply May Leak Your Personal Information

Each email includes a header that determines the email subject, sender and other attributes. However, few people know that the header also reveals the location of the route taken by the email, server by server. That means the recipient can follow the list back from the point of origination in order to locate the server from which the email was first transmitted. Also, the recipient can use geolocation to get clues about the server’s location. Therefore, responding to a suspicious email may leak details about your location, from which the adversary can enter into a
people search tool, along with your name, to get your phone number and home address.

2. Your Account Can Be Hacked

Responding to malicious emails could get your account hacked if the reply includes a detail or two about your personally identifiable information. For instance, some people include their full name and personal signature in the email footer, and others mention the name of their business/employer as well as the corporate URL. With access to such details, a cyber criminal could possibly have an easier time guessing your password. The chances of this are much greater if your password includes any of your personally identifiable information. Hence, it’s best to report and delete any kind of messages that seem too good to be true.

3. The Fraudster Can Trick You into Sharing Corporate Data

A lot of people fall victim to email-driven scams in which the sender pretends to be a representative/partner of the company where the recipient is currently employed at. For instance, you could receive an email from an individual or business claiming to be the official sponsor of your company’s corporate social responsibility activities. The adversary will then try his or her best to make the email message look legitimate enough and request confidential data such as a bank account number to transfer funds, or even the phone number of the CEO to discuss arrangements. These are the types of emails to avoid, report and delete.

4. That Response Could Help Adversaries Design More Sophisticated Attacks

Scammers can copy the style/format of your response and create phishing emails based on that. This is how BEC (business email compromise) attacks are executed. The adversary first gets in touch with someone close to the victim (such as his/her coworker) and sends out casual emails (such as a general inquiry) to get a response. This tactic helps the fraudster get familiar with the business lingo. The learning is then integrated into phishing emails that are used to trick personnel into conducting illicit wire transfers or sharing corporate data. Thus, if you receive an email from your coworker saying they’d loved to know your thoughts on a particular project, do a cross-check by requesting an in-person meeting without clicking the reply button.

Ethical Hacking Training – Resources (InfoSec)

5. Your Reply Can Be Held for Ransom

If your response includes confidential information such as the W-2 form data, the hacker can blackmail you by stating he/she will sell the information in the underground market unless you pay a ransom. While there’s no way to guarantee that the hacker would delete sensitive information about the company you’re employed at once a ransom is paid, a lot of people fall prey to these types of ransomware schemes. The default action should be cross-checking emails that request W-2 form data and reporting fraudulent ones to the anti-spam/anti-fraud legislation of the country you reside in. But even a reply back that contains non-confidential information can still lead to a future ransomware attack. As mentioned before, the style and the way the recipient composes their email messages can give behavioral clues to the cyber attacker, provided that they are also sophisticated enough in using covert, psychological techniques. Once the attacker engages the recipient into further dialogue after a few email exchanges (and builds a trusted relationship with them), he or she can then engage in a social-engineering style attack in order to obtain sensitive and/or private corporate information.

Reporting Suspicious Emails

If you are based in the United States, any suspicious emails should be reported immediately to the FTC. The email address is spam@uce.gov. You need to include the entire spam email, the name of your email provider and state that you’ve been spammed at the top of the message.

If you’re from Canada, you can get in touch with the Better Business Bureau for corporate claims and forward other types of spam to the Spam Reporting Centre.

In Europe, each country has different agencies victims can contact. For instance, UK-based recipients can report fraudulent emails to the Information Commissioner’s Office. In Germany, suspicious emails can be shared with the
German Association for Voluntary Self-Regulation of Digital Media Service Providers. For nations without fraud investigation legislations, residents should visit the national police force site for more details.

Apart from reporting it to the official legislation, recipients should immediately forward phishing messages to the organization being misrepresented by the sender of the email. In this is regard, it is important to provide as much detail as possible to the organization you report the email to.

Also, recipients can inform the scammers’ respective email providers or ISPs about fraudulent use of their services. They take any reports of suspicious emails coming from their servers very seriously. You can find the contact details of each provider on their official website.

Finally, all employees should be trained to report suspicious emails to the IT department. A security awareness training program, paired with an email reporting tool like PhishNotify™, will teach employees how to detect — and report — email fraud.

Final Thoughts

Responding to malicious emails gives attackers an opportunity to mark your email as active and gain more information about you. To safeguard your identity, don’t reply to suspicious emails and always report them.