Detecting Socially-Engineered Emails

Download CSOC Protect Notice: Detecting Socially-Engineered Emails (PDF), updated August 2012

  1. Socially-engineered emails present a significant threat to information security. This document offers tips for identifying malicious emails and avoiding compromise of your network and information. This document is intended for all users.

What are socially-engineered emails?

  1. Sending socially-engineered emails is the most common technique used in malicious cyber intrusions targeting Australian government agencies. Socially-engineered emails attempt to deceive the recipient into downloading malicious software by clicking on a link or attachment. They may appear to be work-related or target a specific interest. They can also appear to come from someone you know. Inadvertently accessing these malicious files can have serious consequences, including the theft of Australian government information.

Who do they target?

  1. Senior officials and their staff, system administrators, users with access to sensitive information, users with remote access and users whose role involves responding to unsolicited emails are at a higher risk of being targeted. Such users should be especially vigilant and employ strategies to mitigate the risk.

How can socially-engineered emails be identified?

  1. While socially-engineered emails can be highly sophisticated, there are ways to differentiate them from legitimate emails. Consider the following questions when you next read your emails:
    1. Do you really know who is sending you the email?
      1. Do you recognise the sender and their email address?
      2. Is the tone consistent with what you would expect from the sender?
      3. Is the sender asking you to open an attachment or access a website?
    2. Are you expecting an email from them? Socially-engineered emails can be crafted to appear to come from a relevant and trustworthy source, including from within your organisation. Many use content relating to current events in order to deceptively gain your trust.
    3. Is the content of the email relevant to your work? Malicious cyber actors may use fraudulent emails which relate to your area of interest.
    4. Does the email ask you to access a website or open an attachment? This technique is commonly used to run malicious code on a victim's computer, which could compromise agency data. You should always type the web address into your browser instead of clicking a link, and avoid clicking on any link that has been shortened, as you have no way of verifying the actual address. Exercise judgment and be cautious when opening attachments or accessing websites.
    5. Is the web address relevant to the content of the email? Always place your mouse over the link and check that the web address is consistent with the link. For example, an email purportedly from a financial institution that contains a link to a pharmaceutical website may be malicious, as the two are unrelated enterprises. Clicking the link could redirect you to a malicious website.
    6. Is the email from a personal email address? If it seems unusual to receive an email from a work colleague or superior from a personal email address, the email could be malicious. Call the sender to verify the legitimacy of the email before opening any attachments or clicking on any links.
    7. Is the email suspiciously written? Incorrect spelling and capitalisation, abnormal tone and language, or the absence of a specific addressee can indicate that an email is not legitimate.
    8. Have you received the same email twice? This could be a sign that malicious cyber actors are seeking to increase the likelihood that you will open their email and action their request.

How should you handle malicious communication?

  1. If you suspect that you have been the target of a socially-engineered email attack, do not delete or forward the email and contact your IT security team immediately.

Further information

  1. The Australian Government Information Security Manual assists in the protection of official government information that is process, stored or communicated by Australian government systems.
  2. DSD's Strategies to Mitigate Targeted Cyber Intrusions complements the advice in the ISM.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.