Every year since 2008, Verizon has come out with an annual Data Breach Investigations Report (DBIR), which has come to be known as the “breach bible” in its analysis and catalog of tens of thousands of security incidents. Year after year, malware remains one of the top threats, with a hefty 66 percent of malware being installed via malicious email attachments. Malicious attachments are an appealing tool for cybercriminals because they cost 50 percent less than URL-based attacks, according to Proofpoint. Malware prevention, with a focus on how to identify suspicious attachments, must be part of any security awareness training.
For seasoned IT pros, identifying suspicious attachments can feel like a reflex, but most employees don’t have the same training or experience. Taking the time to educate employees on malware prevention is a simple yet critical way to bolster an organization’s security defenses.
Consider the context and content
As they separate the safe attachments from the dangerous ones, advise employees to start by considering the context of the correspondence. Is it from a trusted contact or domain? Was it expected? Is there a message attached that makes sense? If a coworker sends an attachment that feels totally random, or a boss sends an attachment with an uncharacteristic message, or an email arrives from an unknown source, those are red flags. Employees need to know not to click right away.
Employees should also check the content of the message. Can they see the sender’s actual email address and not just the display name? Do they know the sender? Is the sender addressing them in a standard way? Does the signature look consistent? Are there oddities like spelling or grammar mistakes? These are all questions you should encourage employees to ask themselves.
If an email from a known source seems fishy, advise employees to reach out to the apparent sender another way—perhaps through the company’s instant messenger app, in a text or phone call, or in a new email chain—to verify that the attachment is real. And of course, never open attachments from unknown senders.
Examine the file
Next, IT managers should encourage employees to think about the file itself during security awareness training. Is the file way bigger than it should be? Is the name an extremely long string of jumbled characters? What is the file format? Certain file types are inherently riskier than others, and knowing what those are is important for malware prevention. Employees should be instructed to avoid the extensions .bat, .exe, .vbs, .com, .ade, .adp, .cpl, and .wsc unless they are fully expected and directly solicited from a trusted source. Users should be extremely skeptical of .exe files, as these contain self-running programs that can install malicious code on devices.
However, even common text attachments that seem harmless—including .txt, .pdf, and .doc/.docx/.xls/xlsx/.ppt/.pptx files—can be problematic. 85 percent of malicious emails, according to security firm F-Secure, have a .doc, .xls, .pdf, .zip, or .7Z file attached. This is why it’s wise to verify the sender every time. Microsoft Office files can include harmful macros, and zipped files with unknown content and zip bombs are other potential landmines, as compressed files can unleash active viruses or massive amounts of data that can overwhelm a device. Zipped files can’t be scanned for malware until they are opened, so downloading them is a big risk. Again, advise employees to confirm the file with the source before opening.
Malware prevention requires vigilance
Beyond educating employees on malware prevention, IT teams should also encourage the adoption of email attachment scanners that come with anti-malware and virus protection to ensure that malicious emails don’t even get through to inboxes. Investing in devices with embedded security features, such as self-healing printers, can secure endpoints and prevent these devices from becoming unsecured pathways for malware to infiltrate your network. Safe peripheral endpoints are just as critical to security as the integrity of the main network.
In addition to leading security awareness training, IT managers should make sure to research and champion up-to-date network security that can auto-filter all user activity against threat databases. In today’s threat environment, organizations need all the defenses they can get. Educating employees on best practices and deploying technology that maintains constant vigilance are key steps to keeping organizations safe.