News

telltale ransomware signs banner

How to spot a Ransomware email - ten revealing signs

08 June 2017

Every few months, a prolific Ransomware cyber attack such as WannaCry hits the world by storm, and the international press goes into overdrive for a couple of weeks while the news is still hot. Everything then returns to "business as usual", and for many, Ransomware is forgotten about until the next time a malicious payload like WannaCry or Cryptolocker has success across the world. 

While these large-scale attacks have highly critical repercussions to the organisations that they affect, perhaps the single benefit of this is that awareness of Ransomware spreads as quickly as the virus itself, and for a few weeks, individuals are more aware of the threat, and hopefully more vigilant.

According to Sophos, 30% of all Ransomware-infected emails are opened. While opening an email doesn't necessarily cause a threat to a business's IT infrastructure, this is the make or break moment. Does a user fall for the phishing scam being unravelled in the email, or do they spot the telltale signs that the email has a malicious payload, and press the delete button? By ensuring your employees know how to spot a ransomware email, you're instantly mitigating the threat of this particularly nasty form of cyber attack.

Email-borne ransomware is typically delivered through a method known as phishing, and fortunately, phishing emails are detectable when you know the signs.

Here are ten signs that could help your employees spot Ransomware:

1. It's a strange request. If you've received a request you're not expecting, seems out of the ordinary, or isn't relevant to you directly, chances are it's a typical phishing email, even if it looks like the sender is from within your organisation. If in doubt, call the "sender" to confirm its legitimacy. Delete!

2. Friend, you've not been addressed personally. If a generic salutation has been used, chances are the sender doesn't know who you are. At best, it's just a marketing email, but at worst you're a target of a cyber criminal. Delete!

3. Bad gramar and speling. Most peopl take a sense of pride in there work. bad gramar, typos and speling is a dead cert that their is something phishy. Delete!

4. It's got an attachment. Ransomware payloads are commonly executed by opening an email attachment, or enabling a macro script on a document. Always be cautious of opening an attachment, especially if you're not expecting it or don't know the sender. Delete!

5. Dodgy URL links. It's very easy to hide or spoof a link. The display URL isn't necessarily the destination web page. Hover over links before clicking to see if they direct you where you expect them to. Looks legit? Double check to look for individual characters or minor discrepancies. Still in doubt? Delete!

6. Great news! You've won 500 quid! That's strange - you didn't even enter a competition. This sounds so obvious, yet people still regularly fall for it, or the cyber criminals wouldn't do it. If it's too good to be true, its a scam. Please don't click on the link to the prize page. Delete!

7. The from: address doesn't add up. It's easy for wannabe attackers to create fake email addresses that are near-identical to the real deal. Customerhelp@amaz0n.com could easily be misread as a legitimate email address. Delete! [Note: savvier cyber criminals can spoof email addresses so that they look like they DO actually come from a legitimate source. Don't rely on this sign without cross referencing].

8. Scaremongering tactics. A common approach used by cyber criminals is to claim something like "your account has been breached!". This creates a sense of urgency and vulnerability, and can prevent people from thinking clearly. If the claims in the email were true, would the sender really tell you in this way? Always check through a different means of communication. Then delete!

9. It's an uncharacteristic request from somebody you know. Maybe you've received an email from somebody you trust (e.g. your CEO, the finance department), but the language used is different from normal. Maybe it's too formal or informal. Maybe the email signature isn't the normal one used. You're probably used to the way these individuals talk to you, so if it's not normal, something weird might be going on. Delete! 

10. A big red box has appeared on the screen telling you that your files are encrypted and you have 72 hours to pay 10 bitcoin. If you've got to this stage, there's no doubt that you've received a Ransomware email. Unfortunately, it also means you've actioned something within the email and subsequently been infected. It's too late to delete!

We sincerely hope you never witness point number 10. Do your part in your company's cyber security infrastructure by helping to raise awareness of Ransomware, and ensuring you can successfully identify it. For more resources that can help you in the fight against Ransomware, visit www.clickclever.co.uk. Stay safe!

Phish your employees

Could your employees spot Ransomware? Put them to the test and find out.

Request your free trial

Related Content