Spotting malicious email messages (ITSAP.00.100)

Email is a convenient communication tool for individuals and organizations. It provides an easy way to exchange documents, images, links and various files. However, threat actors can use email for malicious purposes. They frequently target organizations and their networks to steal information. Threat actors are technologically savvy, conscious of vulnerability and aggressively agile. A successful intrusion can quickly lead to data and privacy breaches.

As an employee, you may have access to sensitive corporate information, which can make you a target. You should be wary of malicious emails, which threat actors use to infect devices and systems to access information. Knowing how to spot malicious emails and phishing attempts can help protect your organization's information and networks.

On this page

• How threat actors use malicious emails
• How to spot malicious emails
• How to protect against malicious emails
• How to handle malicious emails
• Learn more

How threat actors use malicious emails

Threat actors use malicious emails to conduct a variety of malicious activities, including to:

• steal your sign-in details or credentials
• spread malware, including viruses, ransomware and spyware, to infect your device or spread to other devices on your network
• steal your information, corrupt or damage your files

Phishing attacks

Phishing is the act of sending fraudulent communications that appear to be legitimate. Phishing emails often contain malicious attachments or links to malicious websites. Threat actors carry out phishing attacks to trick you into disclosing sensitive information, such as credit card numbers, social insurance numbers or banking credentials. Phishing attacks can take the form of emails, texts or phone calls, but this publication focuses on malicious emails.

Threat actors can be highly skilled at creating emails that look legitimate. These emails may contain company logos or trademark information. The subject lines are relevant, and the messages are pertinent. Given our desire to trust and the sheer number of emails we receive daily, it can be easy to believe the content we read in these emails, click on embedded links, or open attachments. However, the attachments may contain malicious software, and the links may direct you to malicious websites.

Some types of malware can scan your contacts and automatically send an infected message to everyone on your contact list. Even if an email comes from someone you know, you should always think twice before clicking links or opening attachments. Configuring your email to preview emails, access links and open attachments could inadvertently allow a threat actor to:

• remotely access sensitive device information
• execute malware
• use your device as a foothold to access other network resources

Phishing emails come in various forms. Common methods include:

• Spear-phishing: A threat actor sends emails to specific targets, such as an individual, a group or an organization. A spear-phishing email is crafted using the recipient's personal or professional characteristics and interests. Threat actors often use publicly available information from the individual's social media accounts. Spear-phishing emails require more effort from threat actors, but recipients are more likely to respond to the email, open attachments or click on links.
• Whaling: A threat actor sends emails to high-profile individuals or senior executives. They create targeted and convincing emails by using personal information about the individual or the organization they work for. Threat actors may use publicly available information from the organization's website or social media accounts.
• Quishing: A phishing attack using malicious "quick response" (QR) codes in emails that re-directs you to a malicious website when the QR code is scanned. Check the website URL to make sure it is the intended site.

Remember, no one is immune. Although anyone can be the target of phishing attacks, the following individuals are more commonly targeted:

• senior executives and their assistants
• helpdesk staff
• system administrators
• users who have access to sensitive information
• users who have remote access
• users whose jobs involve interacting with members of the public

How to spot malicious emails

Threat actors will try to make malicious emails look legitimate. As such, it is important to know how to spot a potentially dangerous one.

Verify the sender's email address to confirm it matches the official address of the organization or individual they claim to be. Know how the organizations and businesses you interact with typically contact you and what type of information they may ask for. For example, a bank should never send links to online banking and ask you to login. You should always access your banking platform through its official app or website.

Malicious emails can be difficult to identify, but there are some clues that can help you:

• an unfamiliar or misspelled name or email address of the sender
• an invalid username or domain name in a sender's email address
• altered or unprofessional company logos
• generic or odd greetings
• poor grammar or spelling
• urgent tone and direction to act quickly
• urgent messages about current "hot-button" issues related to personal or political causes, major domestic or international events or crises, or organizational challenges
• unusual requests (for example, most companies do not ask for sensitive or personal information in an email or insist that you collect a package or pay an overdue invoice)

Keep in mind that malicious emails may not always contain telltale poor grammar or spelling, particularly if they were created using generative artificial intelligence (AI) tools.

Always be suspicious of unsolicited emails requesting personal or confidential data. Take proactive steps to verify their legitimacy before responding or supplying any information. If you receive an email requesting personal information, search for the organization's official website and contact them using the phone number provided. This way, you can confirm if the request is genuine.

How to protect against malicious emails

You can protect yourself and your organization from malicious emails by implementing the following best practices.

Handle suspicious emails with care

When in doubt, avoid opening suspicious emails and contact the sender by another means (for example, by phone) to confirm they contacted you.

Do not click on links, attachments or QR codes in emails

If you are being asked to log into an account for an unsolicited reason, do not click the link, do not open attached files and avoid scanning QR codes. Instead, visit the organization's website by manually entering the URL in your web browser or by searching through a search engine.

Report suspicious emails

If you receive a suspicious email or suspect malicious activity on a work device or a work account, report the incident to your organization's IT and security teams. Follow their instructions and do not forward the email to coworkers. You can also report phishing emails to the Cyber Centre or the Canadian Anti-Fraud Centre.

Use email filters to block malicious content and spam

Many email programs offer filtering capabilities that allow you to block certain addresses or only accept email from addresses in your contact list. Be careful who you share your email address with, and do not sign up for every mailing list and rewards program offered by retailers. Some businesses will sell your email address to third parties. You can create disposable or "dummy" email addresses to reduce spam. Many online email services also allow you to create email aliases that can be directed to a specific email folder instead of your main inbox.

Delete items in your junk folder

Many email platforms let you configure settings to automatically empty your junk folder after a set number of days. If you choose to do so, you should still check your junk folder so that you do not miss potentially important messages.

Set up client portals

If your organization requires clients to frequently provide information or documents, set up an online client portal to safely collect them This way, employees will not have to question every email attachment they receive.

Establish clear policies

Your organization should define clear policies on configuration settings and AI use to limit the risk of malicious email messages. These should include:

• installing and properly configuring a firewall and anti-malware software
• configuring a protective domain name system (DNS) on your devices, modems and routers
• enabling a software allowed list and regularly updating all software
• implementing quarantine functions in your organization's anti-malware software
• using trusted and reputable AI detector tools to verify whether content is human or AI-generated
• omitting sensitive information when using AI tools

Additional best practices

• Use secure messaging portals instead of email for communicating your personal information
• Use bookmarks or a search engine to access websites rather than clicking on links
• Be suspicious of emails that are not addressed directly to you or do not use your correct name or salutation
• Do not open attachments or links from an unknown sender or if they have strange file names or multiple file extensions
• Configure your office suite to prevent macros from running without confirmation or to not run macros from email messages
• Deactivate automatic downloads and execution of attachments and images
• Configure your inbox to not load external images to mitigate the risk of tracking pixels (embedded codes in logos or images that can track your location and behaviour)

How to handle malicious emails

If you receive an offensive, abusive or potentially criminal message, inform your local police. Save the message as authorities may ask you to provide a copy to help with any subsequent investigations. Do not send the message to anyone else.

If you accidently interact with a malicious email, remain calm and take the following actions:

• Stop using your device
• Disable Wi-Fi or disconnect network cables so the device cannot communicate with the Internet
• Power off the device
• Contact your IT security department if you are using a corporate device. They can disable accounts and other device features
• Change your password, passphrase, or PIN using a different device
• Scan the device using anti-malware software if possible
• Restore network connections only when you believe you have a clean system
• Perform any available updates and security patches on your device
• Monitor your accounts regularly for suspicious activity

Learn more

• Don't take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)
• Protect your organization from malware (ITSAP.00.057)
• Best practices for passphrases and passwords (ITSAP.30.032)
• How updates secure your device (ITSAP.10.096)
• Firewall security considerations (ITSAP.80.039)
• Protective Domain Name System (ITSAP.40.019)
• How to protect your organization from malicious macros (ITSAP.00.200)
• Application allow list (ITSAP.10.095)
• Cyber security best practices for managing email (ITSAP.60.002)