This week, a report about the most common vectors for data breaches and related issues was released.
You and I are the weakest link.
A couple of scary numbers from that report: 1 in 10 people will download and open an attachment attached to phishing email or spam. The average time between a phishing email being sent and the first victim taking the bait is 22 seconds.
What the heck is it about email attachments that makes them so darned irresistible?
Attachments are useful
The problem begins with the fact that email attachments are darned useful.
I have a file, and I want to get it to you. Often the quickest and easiest way to do so is to simply compose an email to you, attach the file and press Send. After that, magic happens.
For example, it’s not uncommon for folks to want to submit a screen shot with their Ask Leo! question. The best way to do that? Submit the question, and then reply to the confirmation email message with the screen shot image as an attachment. Nothing could be simpler. Taking the screen shot was probably the hardest part of that process.
Given the rate at which we exchange data with friends, co-workers, and even tech support sites, email attachments have become a cornerstone of our digital life.
We’ve been trained to open attachments
Because attachments are so common, we don’t think twice about getting them, and we don’t think twice about opening them.
We’ve been trained to use and open attachments even when they’re not needed.
My favorite pet peeve1 is the office worker who carefully types up a short memo using a program like Microsoft Word. Then, instead of just copy-and-pasting the contents of the document as the body of the email, he or she sends the entire Word document as an attachment, with the body stating something like “important memo attached”.
There’s no need. The mail with an attachment is larger, slower, and less likely to make it past spam filters. The recipients are forced to open the attachment or, in many environments, suffer the consequences of missing the memo.
This kind of attachment abuse has lowered our sensitivity to the dangers that attachments represent.
Attachments don’t kill computers…
Now, let’s be clear: attachments aren’t evil in and of themselves. It’s how attachments are used and abused that leads to the problem.
- We’re trained to open attachments without thinking too hard.
- Attachments can contain anything, good or evil; they could contain important files, or they could contain devastating malware.
That sounds like a recipe for disaster. And it is.
When 10% of the audience will open an untrusted attachment to a phishing email, that’s hacker gold. That’s a spammer’s dream.
That’s our nightmare.
Attachments are often no longer necessary
Attachments were originally created to solve a specific problem: getting a file from point A to point B.
Back in the days before always-on networks, email’s “store and forward” approach to getting a message to its recipient “eventually” was a fantastic way to perform file transfers. In some cases, entire file repositories (the equivalent to today’s download sites) were available primarily via email request.2
We’ve come a long way since then, and those attachment habits we developed are most often no longer necessary. The easiest alternative? Place a file in something like DropBox or OneDrive and share a link. Not only does this make your email smaller and more likely to make it through (without forcing a lengthy download on the recipient just to read the email), but it also provides accountability that simply isn’t possible with the currently spoofable email system.3
And of course there’s simply no reason to attach a document when the message could be just as easily placed into the body of the email.
Attachments: think twice, then think again
Think twice about sending attachments at all. Use shared online storage instead – be it internally, on your company network, or on an internet service like DropBox or OneDrive. Have photos to share? Put them online instead of forcing the recipient to download them. If you’re concerned about privacy, use a service that lets you control who sees what. In any case, it’ll be more secure than an email attachment, which can be viewed by anyone who has access to the path your email might take.
Think twice – and then twice again – before opening any attachment. Unless you know better, your initial reaction to an attachment should always be one of mistrust. In particular:
- No financial organization will ever send you a “secure message” as an unsolicited attachment. (And if they do, they don’t “get” security, and I’d think twice about continuing to be their customer.)
- Shipping companies never send paperwork about missed deliveries as attachments. This is one of the most common ways that people get fooled. If you’re uncertain at all, pick up the phone and call the local office.
And of course, nobody in Nigeria wants to share money with you. But you already know that.
You can scan an attachment using your anti-malware tools after you download it and before you open it, but if you’re even a little unsure, it’s better to check with the sender. Don’t reply to the email – of course someone sending you a phishing email from a hacked account will claim it’s legitimate. Instead, pick up the phone, or use some other means of double checking.
Don’t be part of the 10%.