So this is the first step: Take control of your emotions. Yes, it can be difficult if you work in a demanding field. But it’s your best first defense, and your employer will thank you for it (or, at least, they should).
Always Confirm Through a Second Channel
Now that you’re skeptically questioning the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be from. The best way to do this is to ask—just be careful.
“If you received an email like this, it’s important to pick up the phone and call the number you know to be legitimate,” says Larson, adding a caveat. “Do not rely on a phone number in the email itself—it will be owned by the threat actor.”
This is a crucial point: Any contact information in the email itself is likely compromised, and sometimes cleverly so. Use the phone number you’ve already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email looks correct, because some scammers will go through the trouble of getting a phone number that’s similar to that of the person they’re impersonating, all on the hopes that you’ll call that number instead of the real one.
“I’ve seen phone numbers off two digits from the actual phone number,” says Tokazowski.
Call the person who supposedly emailed you—using a number you are 100 percent sure is real—and confirm the request is authentic. You could also use some other secure communication channel like Slack or Microsoft Teams, or, if they’re in the office, just ask them face to face. The point is to confirm any urgent request somewhere outside of the initial email. And even if the person is your boss or some other bigwig, do not worry about wasting their time.
“The person that is being impersonated would so much rather have someone take the time to confirm than to lose thousands or a million dollars in a malicious transaction,” says Larson.
Check the Email Address
Getting in touch with the supposed sender isn’t always an option. If not, there are a few tricks you can use to spot whether an email is real or fake. The first: check the email address and make sure it’s from the company domain.
“Always check the domains that you’re receiving emails from,” says Larson. Sometimes this will be obvious; your CEO likely isn’t emailing you from a Gmail account, for example. Sometimes it will be more subtle—fraudsters have been known to purchase domains that look similar to that of the company they’re attempting to defraud, all in the hopes of appearing legitimate.
It’s also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they’ll use the actual domain of the company to make it look legitimate, but that won’t match the email address,” says Larson. Just keep in mind that the difference might be subtle. “Look-alike domains are very common: Someone will do a slight variation, like an ‘l’ instead of an ‘i’, to make it look legitimate.” One way to test that, if you’re suspicious, is to copy and paste the domain half of the address into a browser. If you don’t get a website, you’re probably dealing with a fake.
