This is the first step: get your emotions in control. Sure, it might be hard if you work in a demanding field, but it’s your best first line of defense, and your employer will thank you (or at least should).
Always check through a second channel
If you have any doubts about the legitimacy of an urgent request, verify that the email really came from who it is. The best way to do this is to ask, but be careful.
“If you receive an email like this, it’s important to pick up the phone and call a number that you know is legitimate,” Larson said, urging caution, “and don’t rely on the phone number listed in the email itself, as that phone number belongs to the threat actor.”
This is an important point: the contact information in the email itself may have been cleverly leaked. Save the person’s phone number in your phone or look up their phone number on their official website or in an official company directory. This is true even if the number in the email looks correct, as some scammers will go to the trouble of obtaining a similar phone number to the person they are spoofing, in order to get you to call that number instead of their real number.
“I’ve seen phone numbers that are off by two digits from the actual phone number,” Tokazowski said.
Call the person who supposedly emailed you using a number that you’re 100% sure is real to verify that the request is genuine. You can also use other secure communication channels like Slack or Microsoft Teams, or even meet in person if they’re in an office. The key is to confirm urgent requests somewhere other than the initial email, so you don’t have to worry about wasting their time, even if they’re your boss or some big shot.
“Victims of identity theft would rather have someone take the time to verify their identity than lose thousands or even millions of dollars in a malicious transaction,” Larson said.
Verify your email address
It’s not always possible to get in touch with the sender, and when it isn’t, there are a few tricks you can use to tell if an email is real or fake: First, check the email address to make sure it comes from your company’s domain.
“Always check the domain you’re receiving email from,” Larson says. This can be obvious — your CEO might not be sending emails from a Gmail account, for example — or it can be more subtle: Scammers have been known to purchase domains that look similar to those of the company they’re trying to scam to make themselves appear legitimate.
It’s also worth checking whether the email signature matches the address the email is being sent from. “If you look at the footer, it uses the company’s actual domain to make it look legitimate, but it doesn’t match the email address,” Larson says. Keep in mind that the differences can be subtle. “Lookalike domains are very common; someone will use slight variations, like using an ‘l’ instead of an ‘i’, to make the email look legitimate.” If you’re in doubt, one way to test it is to copy the domain part of the address and paste it into your browser. If you can’t see the website, it’s probably a fake.
