I recently finished reading Mandiant‘s fantastic APT1 Report. One of the gems is on page 29, which details some of the tactics used by phishing attacks carried out by APT1, (speculated to be the elite cyber-attack wing of the Chinese military).
Here’s an excerpt that I just loved:
On some occasions, unsuspecting email recipients have replied to the spear phishing messages, believing they were communicating with their acquaintances. In one case a person replied, “I’m not sure if this is legit, so I didn’t open it.” Within 20 minutes, someone in APT1 responded with a terse email back: “It’s legit.”
Kudos to the person who received the email and suspected it was not legit. But… if you think it’s not legit, why on earth would you reply to the sender and ask them to confirm? Of course they will tell you it’s legit! If you receive a suspicious email, never reply to it! Report it to your IT staff and contact the person who supposedly sent it by an alternate channel, such as the telephone.