Forget that old stereotype of the ‘hacker in a hoodie’ trying to crack the code to your employee portal in order to steal data, hijack the computer system or infect it with a virus.
Sometimes, all it takes is a simple email from the perpetrator pretending to be a client, co-worker, or even the CEO, and requesting the recipient to download what appears to be an official file.
A 2016 study by Verizon showed two-thirds of malicious software, or malware, are able to infiltrate computer systems through email attachments.
These infected files look innocent enough. Often the accompanying message is made to look and sound legitimate, mimicking the layout and tone of a regular work email and spoofing the identity of an actual colleague.
It’s an example of a classic phishing scam in which the sender baits the recipient into accessing malicious files.
How to spot a malicious email attachment
One clue recipients should look for is whether the attached file has the (.exe) or (.dmg) extension to its file name. These are programs that launch immediately once the file is clicked. Running these programs enables the malware to take over.
Other high-risk attachments may have (.js), (.scr) and (.zip) extensions instead.
Some malicious files on the other hand are protected by a password. They carry a (.docx) or (.pdf) extension and require recipients to key in a password, usually provided in the message. Once the recipient opens the document, the malware unlocks and hijacks the system.
On the back end, all of this can be resolved by monitoring email traffic more closely; tracking which files are received into the company’s server, where they originate and where they end up; and setting limits on who can access corporate and employee files and how these can be stored or shared securely.
But employees must also remain vigilant against suspicious emails and the social engineering tactics that make them so convincing.
“Chances are if you receive an unsolicited email from an institution that provides a link or attachment and asks you to provide sensitive information, it’s a scam,” said David Ellis, vice president of investigations at SecurityMetrics.
“Most companies will not send you an email asking for passwords, credit card information, credit scores, or tax numbers, nor will they send you a link from which you need to log in.”
Scammers typically prompt users with urgent requests, even threatening them if they fail to take action. It’s important to examine the content of the email first before clicking on a link or file.
“Many phishing emails only need one click to give the hacker access to your otherwise secure systems,” said Charles Johnson, CEO and founder of EDTS, a US computer security specialist.
Johnson recommends picking up the phone and double-checking with the sender whether they had indeed shared a file. “Cross-check unexpected emails from people in authority over the phone or in person before sharing or downloading information,” he said.