Email is an exceedingly common vector for social engineering attacks, whereby an attacker impersonates a trustworthy entity, such as a bank or someone you know, in order to elicit sensitive information from you. This is often done by including a link to a decoy login page designed to steal your login credentials or a link to a site hosting malware that attacks your browser. Furthermore, malware is commonly attached to an email disguised as a legitimate document.

Because phishing is a cheap and easy method of attack, it is a popular method employed against activists. It is important to avoid following links or opening email attachments that you were not expecting. Even professional security researchers can fall for phishing attacks.

Stay vigilant, and whenever you receive an email with a link or attachment that you were not expecting—even if it appears to be from someone you know—check with the sender via another channel before opening it to make sure it is legitimate. Or, in the case of receiving an email from a institution or business, make it a habit to visit their website by typing the address yourself (or using a bookmark) rather than following links from the message.

Back to top