• Cybersecurity Support Desk

5 Things To Do After Spotting a Phishing Email

So you got a suspicious email in your inbox at work or at home and you’re pretty sure it is a phishing email. You spotted this common social engineering tactic, but what should you do next? I received this suspicious email a few days ago. Aside from the fact that I did not order a $2000 server tower, there are several red flags in the email below that stood out as unusual and likely a phishing scam.

The first red flag is the email address of the sender does not match the business named in the email. The email is supposedly from Amazon, but the return address is an unusual address not associated with There were also spelling and grammar errors within the body of the email. Upon taking a closer look at the raw email, I discovered that the contents of the email were base64 encoded. This is highly unusual, and there is no need to base64 encode the raw contents of a legitimate email.

While this email does not invite me to click a link, there is a call to action to call the “fraud” department. If you are unsure if an email is actually from the company it claims to be, you should go to your account on the business website directly from the browser, not from a link within the email and/or contact the company using a phone number you retrieve from the company’s website.

Email gateways and spam filters prevent the vast majority of phishing emails from reaching your inbox, but many phishing emails are able to penetrate this layer of defense. Here are 5 things you can do after identifying a phishing email in your inbox to protect your network.

1. Do not click on any links or attachments in the email

A simple phishing email is the entry point for most cyber intrusions and successful cyberattacks. Cybercriminals will use various psychological tactics to get you to click on a malicious link embedded in a phishing email or to click on a malicious email attachment that drops the initial malware on an endpoint. When you click on a malicious link or attachment, you are also bypassing any existing security controls in place and opening the door for cybercriminals to carry out their objectives in the network.

2. Analyze the raw email for more information

You can do some analysis of the phishing email and glean a lot of information by examining the raw email. In your browser, click on the “show more” option and “view raw message.” Below is a portion of the raw email I received. The raw email contains a lot of information about the source of the phishing email. A pro cybersecurity analyst or security team will be able to perform an in-depth analysis to search for indicators of compromise, including analyzing email attachments in a sandbox, and determine the full scope of affected recipients and affected endpoints. However, you can ascertain critical information as well by examining the raw email.

The main thing to identify is the sender’s IP address, domains, and any other IP addresses you can attribute to a suspicious source. You can then investigate the IP addresses you find by plugging them into Virus Total, DNS or WHOIS databases, threat intelligence feeds, and other resources for more information and to determine if these artifacts have been flagged as malicious.

3. Report the phishing email to your employer

If you receive a phishing email at work or you work remotely from home, you should notify your employer or the designated IT/security contact point as soon as possible. This is an important step even if you have not clicked on any suspicious links or attachments. If you got a phishing email in your inbox, chances are other employees have as well. Another employee may have even clicked on a malicious link in the email, resulting in endpoint compromise. The email you received may be part of a much larger phishing or spearphishing campaign targeting your organization. Therefore, it is your responsibility to report the suspicious email through the workplace protocols in place, so your employer can take action to determine the scope and impact on network security.

4. Delete the email

Once you have examined the raw email, collected important artifacts, and reported the suspicious email to your employer, you should delete the email and any attachments. If this is a personally-owned computer, you may also want to scan your endpoint to try to detect and remove any malware on your system.

5. Update firewall rules

If this is on a personally-owned device, you should update the firewall rules on your computer to block the sender’s IP address and other suspicious indicators of compromise. You can also try updating your spam filters to prevent reoccurrence. Make sure not to block legitimate email and website traffic while updating firewall and/or spam rules. If this is in a work environment on company-owned equipment, you should wait for further instruction on any actions they may want you to take.

Phishing is a primary social engineering technique because it is cheap, easy to execute, and incredibly effective. These 5 steps will guide you through the process of ensuring your home or work network remains secure when targeted with phishing emails. Security training for all employees is vitally important to maintaining network security whether employees are working remotely on personally-owned computers or at an office on company-owned endpoints. Employees that are security-conscious and trained to spot phishing emails and report them immediately is the key to a strong security posture and defeating cybercriminals and advanced cyberthreats.

346 views0 comments

Recent Posts

See All