The One Thing Cybercriminals Don’t Want You to Know

Unsolicited emails have become the modern-day equivalent of door-to-door salesmen. While less obtrusive and easier to brush off they are nonetheless an obnoxious part of the digital world we participate in. Most of these emails are easily categorized as spam or promotional offers, but others are more reminiscent of a burglar casing your home for a future robbery. It’s easy to lose focus in the shuffle of endless emails, and while you cannot be harmed by an email that simply lands in your Inbox, it’s what you do with it that could cause self-inflicted pain.

Some of the more pernicious emails we receive are phishing emails. Sometimes these are targeted directly at us, utilizing publicly available information to lull us into a false sense of security and other times they are scattershot of low-quality hogwash. Then there’s a middle ground where fake password reset emails call home. There’s an oft-unknown policy that pretty much every organization with a digital presence follows to ensure the security of user’s accounts. Cybercriminals don’t want you to know it, but no respectable organization will ever send an unsolicited email to you requesting you reset your password, or any other sensitive information for that matter.

Yes, Microsoft, Google, Amazon, etc. are a heck of a lot like the IRS. You may receive an email from your bank saying they had a data breach, and your account credentials were compromised, now you need to reset your password. This is different from providing a link in the email to a special page where you can reset your password. Most official communications will ask you to navigate to their website on your own and sign-in the way you usually do to find the password reset page under your account settings. Setting this precedent helps to ensure you’re less likely to trust an email that asks for direct action from the body of the email, usually with a hyperlink.

This policy only applies to unsolicited emails, there is a difference between receiving a password reset email for your investment account out of the blue and receiving it after you clicked ‘Forgot my Password’ on the login page of your investment account. Anytime you receive an email requesting you click on a link, share sensitive information, or perform an action you should ask yourself “Why am I receiving this email? Did I somehow request this?” after checking for the typical signs of a malicious email of course – poor spelling/grammar, incorrect domain name/email address, suspicious links, etc. Most of these emails can be ignored on this basis alone, and when in doubt navigate to the website in question on your own as this is often how official communications will ask you to make changes in your account, not from a link they provided via email.

- Pete Belies, Director of Managed Services