Our instinct is to assume that most things are real or legitimate.

A manager or client requests reports, our “worker-bee” mentality kicks in and we deliver the reports without question. Hackers count on us to react without first verifying whether the message – let alone the demand – is what it appears to be.

The New Jersey Cybersecurity and Communications Integration Cell (“NJCCIC”) reported today that “Emotet” malware campaigns are doing just this. According to the NJCCIC, the suspect emails “reference a nondescript invoice or overdue payment in the subject and body, and contain a URL link or attachment that leads to a Microsoft Word document hosted on a remote server.” If you open the document, Emotet then installs itself onto your system. The emails may appear to come from someone within your company or another trusted source. NJCCIC further advises that this malware is detected by current antivirus products less than 50% of the time.

The message is clear: if you are not expecting an invoice, or happen to receive another odd request, pick up the phone and call your known contact to verify prior to clicking on a link or providing information.

Be polite, be helpful – but verify first!