Skip to content Skip to main menu Skip to utility menu
Home > Blog posts > cybersecurity, ITM > Tips for Identifying Suspicious Emails

Tips for Identifying Suspicious Emails

November 11, 2019

We would like to thank staff who notified ITM of the Voicemail Phishing email that occurred last week. Recognizing threats and notifying others is a critical step and can greatly help reduce the impact of attacks.

With any vulnerability, especially those that are successful, it is important to improve awareness by helping staff understand how they could have recognized the suspicious content. The following tips can help you identify malicious activity.

It is always important to consider the following aspects of WHO, WHAT, WHY and WAIT when opening an email message. Below is an example of how these questions could have helped to determine the legitimacy of this message.

WHO – TRCA Employee to 101 Exchange
Unlike most phishing emails that spoof the username but show a different email address, this message was more advanced and was sent from the actual account of a legitimate TRCA employee. The message can also be identified as being sent to the 101 Exchange email distribution list. This is not necessarily suspicious behaviour.

WHAT – Attachment
The email contains an assumed voicemail attachment as characterized by the file name. However, upon closer inspection, the voicemail is shown with the icon of the computer’s default internet browser. The file extension is also a filetype associated with a webpage (.htm) and not an audio file (e.g. .wav, .mp3). This IS suspicious.

WHY – Voicemail Message
The purpose of the message is to provide a voicemail message to the recipient as identified by the email subject and attachment. However, sending another staff a voicemail that was received would typically be done through a Forward action and would result in a “FW:” prepended to the subject. The suspicious nature of this is in the details and is also dependant on the recipient’s normal interactions with the sender.

WAIT – Context and Action/Interaction?
Taking time to reflect and consider the three previous components together, it is uncharacteristic for a TRCA employee to send a voicemail message with an attachment to all of 101 Exchange. Additionally, the nature of the email is inherently promoting user interaction to open the attachment. Considering all the suspicious indicators together should trigger a warning to staff that this message is potentially malicious.

Staff are advised to always consider Who, What, Why and Wait when opening email messages, especially when the message encourages user action/interaction. If staff ever encounter or experience suspicious activity, please contact the ITM Service Desk through:

Calling the ITM Service Desk: 416.661.6600 ext. 4357 (HELP)
Submitting a request: ITM Service Desk
Visiting the ITM office: Located on the 2nd floor, South Side of 101 Exchange Ave