x
Limited Time Offer: Save up to 20% on a new CIS SecureSuite Membership | Learn more
×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

How to Identify an Email Hoax & What to do if You Fall Victim

Email hoaxes demand money by threatening recipients in various ways. The sender may claim that they will unleash a distributed denial of service (DDoS) attack on an organization, or reveal sensitive or embarrassing information about an individual. They may even threaten to physically harm someone.

While the theme of the hoaxes may change, the threat actor's goal remains the same. That is, to elicit fear in the recipient in order to get them to pay the extortion demand. However, email hoax campaigns are by definition illegitimate, since the sender is actually incapable of carrying out their threats.

Recipients of hoax emails need to be able to identify them as scams to avoid being hoodwinked. However, it's important to remember that a malicious email may also be a legitimate threat. Proceed cautiously. If you receive a threatening email at work, follow standard incident response procedures while investigating the accuracy of the claim.

How to Tell if it’s a Hoax Email

There are some key indicators that can help you determine whether the email is a hoax:

  • Many hoaxes are emailed to multiple recipients. The use of generic language and a lack of specific details about the target are good indicators it’s a hoax.
  • The threat actor will usually incite a sense of urgency by demanding immediate payment to avoid the malicious activity. This makes it harder for the recipient to calm down and think it through.
  • Finally, a hoax email won't offer any proof of the ability to pull off the attacker's claims.

Some hoax campaigns attempt to gain legitimacy by claiming to be from groups known to conduct successful attacks. But just because they claim to be with such a group, doesn't mean they are.

The Compromising Video Hoax

One recognized hoax email campaign claimed that the threat actor had placed malware on the email recipient’s system. This malware, the email stated, allowed the threat actor to capture webcam footage.

Furthermore, the threat actor claimed the malware captured all of the recipient’s personal contacts. The recipient was instructed to pay the extortion demand to a Bitcoin wallet within 24 hours in order to prevent personal and private information from being emailed to all of their personal contacts.

What to do if You Suspect an Email Hoax

  • Determine if the email contains any specific knowledge about you or your organization, or if the language is generic and appears to be part of a mass mailing campaign.
  • Conduct searches on keywords, the cryptocurrency wallet ID, and sender’s email address, as this may yield multiple examples of others affected by the same hoax.
  • Check the cryptocurrency wallet ID for transactions to the wallet, which may provide insight into the threat actor’s operations.
  • Confirm that malware was not placed on the system by running an antivirus scan. Ensure that the antivirus program is using updated signatures.
  • Reimage the machine and reset passwords if malware is discovered.
  • Implement spam filtering at the email gateway to filter out emails with known phishing indicators, such as the known malicious subject lines.
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.

As a general rule, organizations should provide social engineering training to employees, and direct them to immediately report potential hoaxes. You'll also want to adhere to best practices such as those described in the CIS Controls and the CIS Benchmarks.

No-cost Malicious Domain Blocking

U.S. State, Local, Tribal, and Territorial (SLTT) government organizations can access a variety of cybersecurity services through the Multi-State Information Sharing and Analysis Center (MS-ISAC). Solutions such as Malicious Domain Blocking and Reporting (MDBR) can help fight email hoax campaigns by blocking malicious links they contain. In addition to state and local government entities, U.S. K-12 educational institutions as well as public and private hospital systems can receive no-cost MDBR services.