Sometimes when sending phishing simulations to our clients, we setup a reply-to address to see if people will reply to suspicious emails and many do. Many people interpret our simulations as scams and articulate that in colorful language. Others reply to our phishing email and provide information that would be dangerous in the hands of a threat actor, such as contact information for the appropriate employee for us to connect with based on the topic of our simulation. While there are some who advocate replying to cyber criminals to waste their time and keep them from exploiting the less aware, replying to suspicious emails is never a good idea for the untrained. It is important to remember that these scammers are in fact criminals and engaging with them is like catching a tiger by the tail. CNN reported a story where a scammer, using phone calls and emails to try and extort a couple for money, eventually threatened them by describing their house in detail. The threat actor told the couple that he knew their whereabouts and followed with a poignant threat if they didn't pay him what he was asking for.
What Should You Do If You Receive a Suspicious Email?
When you receive a suspicious email in the office, do not reply, click or download any attachments. While it could be a lot of fun to mess with criminals, it is dangerous business. Report it to the appropriate IT or security team and let them handle it. In your personal email account, it is best just to delete them and move on with life. Handling suspicious emails this way further protects you and or organization from cyber criminals.
What Happens if You Reply to a Phishing Email?
Replying to a phishing email opens your organization up to future attacks, validates that your email is live and active, and provides your geolocation to cybercriminals.
1. Future attacks
Responding to suspicious emails can provide more information about your company, such as how your email signatures look, which can be used in future brand impersonation attacks like business email compromise (BEC) or spear phishing. We have seen examples of emails that include messages like “How am I doing? Contact my manager at…". All of which provides more data for the cyber criminals to lend credibility to their future attacks.
2. Validating your email address
By responding back to spammers, scammers, and cyber criminals alike, you are telling them that your email address is live and active. This makes your email a more valuable commodity for criminals to target or sell to other cyber criminals.
3. Providing your geo-location
The background information in your emails, known as headers, contains information about your location. This can be combined with publicly available information to narrow down your location and find you in the world. In light of the story above, giving up your location to cyber criminals, intentionally or unintentionally, is never a good idea.
Benchmarking from the World's Largest Phishing Exercise
More than a million corporate users worldwide take part in the Gone Phishing Tournament, hosted by Fortra’s Terranova Security and Microsoft. Watch the webinar to learn:
- Average phishing email click rate by company size and industry
- Common practices of the best performing companies
- Click and malicious file download benchmarking rates
Additional Resources:
