Page 248 - COSO Guidance Book
P. 248
Some tips to identify a phishing email include:
1. Look at the sender’s address in the email. Does it appear correct? For example, you might be familiar
with how an organization’s email addresses are structured: First name period (.) last name @
organization name.com. An email for Nisha.Gordhan@AICPA-CIMA.com would appear reasonable,
but one from NishaGordhan@AICPA-CIMA.com would appear suspicious because a period is
missing between the first and last name.
2. Review the domain name for reasonableness. In the preceding example, AICPA-CIMA.com would
appear reasonable whereas 123AICPA-CIMA.com would not.
3. If the email begins with something like “Greetings Valued Customer” instead of the recipient’s name
(“Greetings, Ms. Gordhan”), then this the email would appear suspicious because the sender should
know the recipient’s name
4. Look for spelling and grammatical errors (such as verb tense).
5. If the email asks for personal identification information, such as bank account or credit card
numbers, then it is most likely a phishing email; senders of legitimate emails would not request this
information.
6. Do not click on links embedded in emails that appear suspicious. Most email browsers will alert the
user if the link that has been clicked on or about to be clicked on is safe or malicious. If asked to click
on a link contained in a suspicious email, avoid the link and instead type the URL you find after
searching online via a browser or other means (such as a web address printed on brochure from a
brick and mortar store).
7. Hover over the link and the actual URL will be displayed. For example, the link might be to AICPA.org
but when a user hovers over the link, the URL displayed is for ACIPA.org. This is a red flag that the
user will most likely be redirected to a cybercriminal’s website.
8. Consider installing email filtering software, which can identify and block possible junk and malicious
emails.
A recent global phishing scheme, comprising 550 million emails, tried to obtain users’ bank account
information by offering a coupon or discount after the user completes a quiz or online contest. The
emails appear to be from a trusted entity that users in their particular country would recognize. The
7
emails are in the users’ country local language.
Malvertising — Malvertising is the infection of IT resources through online advertising.
In one form of malvertisng, cybercriminals purchase advertising space from known advertising networks
(such as Google or Facebook) and then submit ads that contain malicious code in images (such as a
picture of a shirt). The perpetrators anticipate that a legitimate advertising network will include these ads.
The user’s IT device is infected when the user either clicks on the ad or when the ad has completed
8
downloading. Also, the user might be redirected to a website that delivers malware.
Malvertising might also take the form of a pop-up ad. An unwitting user might click on a banner ad that
pops up on a trusted website and inadvertently download malicious software onto the device.
Malvertising sometimes requires little or no user interaction. The malware can infect a user’s computer
without the user having to click on any portion of the ad. This is oftentimes accomplished by malvertising
7
https://www.vadesecure.com/en/phishing-attack-targets-550-million/
8
https://digitalguardian.com/blog/what-malvertising-how-identify-and-protect-against-malvertising-attacks
© 2020 Association of International Certified Professional Accountants. All rights reserved. 5-14
