Differences

This shows you the differences between two versions of the page.

--- clt_email_legitimacy_checklist [2025/10/16 21:37] – thesaint
+++ clt_email_legitimacy_checklist [2025/10/16 22:32] (current) – [5) Optional: Template to report to IT (see wanip.io for info below)] thesaint
@@ Line 6: / Line 6: @@
 ----
 \\
-Sir David — here’s a clean DocuWiki edit-page version tailored **for all incoming emails** (includes your two “Am I expecting…” checks). Paste directly into your wiki.
+**Audience:** End users and admins.\\
+**Purpose:** Help you decide if an email is legitimate in under 60 seconds.\\
-```
+**Updated:** 2025\\
-====== Quick Email Legitimacy Checklist (For All Incoming Emails) ======
-**Audience:** End users.\
-**Purpose:** 60-second decision guide for any email you receive.\
-**Last updated:** @@2025-10-17@@
 ----
-===== 0) Hard Stops — If any are true, **stop** and report =====
+===== THINK … (before you click) =====
-  * Asks for passwords, 2FA codes, remote access, or confidential data.
+  * **Are you expecting anything** right now?
-  * Urgent payment / bank change / gift cards / crypto.
+  * **Are you expecting anything from these people/company**?
-  * You were **not expecting** this email or request.
+  * If the email mentions **domains/hosting/billing**: ask, *who is my real provider?* If it’s **not** the sender, it’s likely **phishing**.
+  * If it asks you to **click**, **hover** your mouse over the button/link—your mail app shows the **actual URL**.
+  * Want more certainty? In **Outlook (desktop)**: **File → Properties → Internet headers**. Check the true **From**/**Return-Path** and authentication results (SPF/DKIM/DMARC). They must match the brand you expect.
+  * **Geo note:** Country/TLD is only a **weak signal**—attackers use any country and many generic TLDs. Treat geo as **extra-scrutiny**, not a blocker.
 ----
-===== 1) Expectation Check (first, 10 seconds) =====
+===== Quick Email Legitimacy Checklist (Updated) =====
-  * **Am I expecting anything** right now?
+**Stop now if any are true:** asks for passwords/2FA, urgent payment/bank-detail changes, gift cards/crypto, remote access, or you didn’t expect it.
-  * **Am I expecting anything from these people/company**?
-  * Do I actually have an account or relationship with the named company?
-If **No** to any → treat as suspicious and go to **8) If Suspicious**.
+**1) Sender**
+  - Name matches someone you know or a real department.
+  - Email **address** matches the real domain (no look-alikes like `rnicrosoft.com`).
+  - **Reply-To** is the same as **From**.
-----
+**2) Context**
+  - Am I **expecting anything** right now?
+  - Am I **expecting anything from these people/company**?
+  - You were expecting this email (invoice, file, delivery, password reset).
+  - You actually have an account/relationship with the company named.
-===== 2) Sender Check =====
+**3) Links**
-  * Display **name** matches someone you know or a real department.
+  - Hover shows the **same brand domain** (e.g., `https://accounts.google.com/...`).
-  * **Email address** uses the real domain (no look-alikes like `rnicrosoft.com`, no extra words).
+  - No link shorteners (bit.ly, tinyurl) or random strings.
-  * **Reply-To** matches the **From** address (no domain switch).
+  - No QR codes you’re being pushed to scan.
+**4) Attachments**
+  - You expected an attachment from this sender.
+  - Avoid risky types: `.exe .js .scr .bat .ps1 .vbs .iso .img .zip .html .htm`
+  - Office/PDF files do **not** ask to “Enable Content/Macros”.
+**5) Language & look**
+  - Uses your correct name and specific details you recognise.
+  - No odd grammar, threats, or too-good-to-be-true offers.
+  - Branding looks right (logos not blurry; footer/legal normal).
+**6) Client warnings**
+  - No “External sender” or “Failed authentication (SPF/DKIM/DMARC)” banners.
+  - Not flagged by your mail client as suspicious.
+**7) Verify safely (don’t use email links)**
+  - Open the website/app yourself from a **saved bookmark** or by **typing** the address.
+  - Call/message the sender on a **known** number/channel to confirm.
+  - For payments/bank changes: do a **voice check** with your contact.
+**8) If suspicious**
+  - Don’t click, don’t reply, don’t forward (except to IT/security).
+  - Use **Report phishing** in your mail app, then delete.
+  - If you clicked or entered details: **change password**, enable **MFA**, inform IT/bank, run a malware scan.
+  - Optional: forward to **reportphishing@apwg.org**.
 ----
-===== 3) Link Safety =====
+===== Visual Example (hover reveals mismatched domain) =====
-  * Hover links: target stays on the **brand’s real domain** (e.g. `https://accounts.google.com/...`, not `https://google.secure-login.example.com/...`).
+{{:picture1.png?400|}}
-  * No link shorteners (bit.ly, tinyurl) or random strings.
-  * Avoid scanning QR codes from emails.
 ----
-===== 4) Attachments =====
+===== Country & ccTLD Reference (weak signal only) =====
-  * You were expecting an attachment from this sender.
+^ ISO ^ Country ^ ccTLD ^
-  * **Block risky types:** `.exe .js .scr .bat .ps1 .vbs .iso .img .zip .html .htm`
+| AF | Afghanistan | .af |
-  * Office/PDF **should not** ask to “Enable Content/Macros”.
+| AL | Albania | .al |
+| AM | Armenia | .am |
+| AO | Angola | .ao |
+| AZ | Azerbaijan | .az |
+| BA | Bosnia and Herzegovina | .ba |
+| BD | Bangladesh | .bd |
+| BF | Burkina Faso | .bf |
+| BG | Bulgaria | .bg |
+| BH | Bahrain | .bh |
+| BI | Burundi | .bi |
+| BJ | Benin | .bj |
+| BM | Bermuda | .bm |
+| BN | Brunei | .bn |
+| BO | Bolivia | .bo |
+| BS | Bahamas | .bs |
+| BT | Bhutan | .bt |
+| BY | Belarus | .by |
+| BZ | Belize | .bz |
+| CD | Congo (Democratic Republic) | .cd |
+| CF | Central African Republic | .cf |
+| CG | Congo (Republic) | .cg |
+| CI | Côte d’Ivoire | .ci |
+| CL | Chile | .cl |
+| CN | China | .cn |
+| CO | Colombia | .co |
+| CR | Costa Rica | .cr |
+| CU | Cuba | .cu |
+| CV | Cabo Verde | .cv |
+| CY | Cyprus | .cy |
+| CZ | Czechia | .cz |
+| DJ | Djibouti | .dj |
+| DM | Dominica | .dm |
+| DO | Dominican Republic | .do |
+| DZ | Algeria | .dz |
+| EC | Ecuador | .ec |
+| EE | Estonia | .ee |
+| ER | Eritrea | .er |
+| ET | Ethiopia | .et |
+| GA | Gabon | .ga |
+| GD | Grenada | .gd |
+| GE | Georgia | .ge |
+| GH | Ghana | .gh |
+| GM | Gambia | .gm |
+| GN | Guinea | .gn |
+| GQ | Equatorial Guinea | .gq |
+| GT | Guatemala | .gt |
+| GW | Guinea-Bissau | .gw |
+| GY | Guyana | .gy |
+| HN | Honduras | .hn |
+| HR | Croatia | .hr |
+| HT | Haiti | .ht |
+| HU | Hungary | .hu |
+| IN | India | .in |
+| IQ | Iraq | .iq |
+| IR | Iran | .ir |
+| JM | Jamaica | .jm |
+| JO | Jordan | .jo |
+| JP | Japan | .jp |
+| KE | Kenya | .ke |
+| KG | Kyrgyzstan | .kg |
+| KH | Cambodia | .kh |
+| KI | Kiribati | .ki |
+| KM | Comoros | .km |
+| KN | Saint Kitts and Nevis | .kn |
+| KP | North Korea | .kp |
+| KR | South Korea | .kr |
+| KW | Kuwait | .kw |
+| KZ | Kazakhstan | .kz |
+| LA | Laos | .la |
+| LB | Lebanon | .lb |
+| LC | Saint Lucia | .lc |
+| LK | Sri Lanka | .lk |
+| LR | Liberia | .lr |
+| LS | Lesotho | .ls |
+| LT | Lithuania | .lt |
+| LV | Latvia | .lv |
+| LY | Libya | .ly |
+| MD | Moldova | .md |
+| MG | Madagascar | .mg |
+| MK | North Macedonia | .mk |
+| ML | Mali | .ml |
+| MM | Myanmar | .mm |
+| MN | Mongolia | .mn |
+| MR | Mauritania | .mr |
+| MT | Malta | .mt |
+| MU | Mauritius | .mu |
+| MW | Malawi | .mw |
+| MX | Mexico | .mx |
+| MY | Malaysia | .my |
+| NE | Niger | .ne |
+| NG | Nigeria | .ng |
+| NI | Nicaragua | .ni |
+| NP | Nepal | .np |
+| OM | Oman | .om |
+| PA | Panama | .pa |
+| PE | Peru | .pe |
+| PG | Papua New Guinea | .pg |
+| PK | Pakistan | .pk |
+| PL | Poland | .pl |
+| PR | Puerto Rico | .pr |
+| PS | Palestine | .ps |
+| PW | Palau | .pw |
+| PY | Paraguay | .py |
+| QA | Qatar | .qa |
+| RO | Romania | .ro |
+| RS | Serbia | .rs |
+| RU | Russia | .ru |
+| RW | Rwanda | .rw |
+| SA | Saudi Arabia | .sa |
+| SB | Solomon Islands | .sb |
+| SC | Seychelles | .sc |
+| SD | Sudan | .sd |
+| SG | Singapore | .sg |
+| SI | Slovenia | .si |
+| SK | Slovakia | .sk |
+| SL | Sierra Leone | .sl |
+| SM | San Marino | .sm |
+| SN | Senegal | .sn |
+| SO | Somalia | .so |
+| SR | Suriname | .sr |
+| SS | South Sudan | .ss |
+| ST | São Tomé and Príncipe | .st |
+| SV | El Salvador | .sv |
+| SY | Syria | .sy |
+| SZ | Eswatini | .sz |
+| TJ | Tajikistan | .tj |
+| TL | Timor-Leste | .tl |
+| TM | Turkmenistan | .tm |
+| TN | Tunisia | .tn |
+| TO | Tonga | .to |
+| TT | Trinidad and Tobago | .tt |
+| TV | Tuvalu | .tv |
+| TW | Taiwan | .tw |
+| TZ | Tanzania | .tz |
+| UA | Ukraine | .ua |
+| UG | Uganda | .ug |
+| UZ | Uzbekistan | .uz |
+| VC | Saint Vincent and the Grenadines | .vc |
+| VE | Venezuela | .ve |
+| VG | Virgin Islands (British) | .vg |
+| VI | Virgin Islands (U.S.) | .vi |
+| VN | Vietnam | .vn |
+| WS | Samoa | .ws |
+| YE | Yemen | .ye |
+| YU | Yugoslavia | .yu |
+| ZA | South Africa | .za |
+| ZM | Zambia | .zm |
+| ZW | Zimbabwe | .zw |
+| AX | Åland Islands | .ax |
+| FO | Faroe Islands | .fo |
+| GI | Gibraltar | .gi |
+| GL | Greenland | .gl |
+| GG | Guernsey | .gg |
+| JE | Jersey | .je |
+| MF | Saint Martin (French part) | .mf |
+| MQ | Martinique | .mq |
+| RE | Réunion | .re |
+| SX | Sint Maarten (Dutch part) | .sx |
+| SH | Saint Helena, Ascension and Tristan da Cunha | .sh |
+| PM | Saint Pierre and Miquelon | .pm |
+| TF | French Southern and Antarctic Lands | .tf |
+| WF | Wallis and Futuna | .wf |
+**Notes:**
+*.yu* (Yugoslavia) = **retired**.\\
+*.mf* (Saint Martin, FR) = **reserved/not generally in operation**.\\
+**Reminder:** ccTLD/country is a **weak** indicator. Always prioritise **SPF/DKIM/DMARC**, link/attachment analysis, sender reputation, and business context.\\
 ----
-===== 5) Language & Look =====
+====== WHAT TO DO If You Clicked — And If You Entered Info ======
-  * Uses your correct name and specific details you recognise.
+**Audience:** End users (with quick admin notes).\
-  * No threats, pressure, giveaways, or too-good-to-be-true offers.
+**Goal:** Fast, idiot-proof actions that limit damage.\
-  * Branding looks normal (not blurry; footer/legal details look standard).
+**Use when:** You clicked a suspicious link OR you entered details on a fake site.
 ----
-===== 6) Mail Client Warnings =====
+===== 0) TL;DR =====
-  * No “External Sender” or “SPF/DKIM/DMARC failed” banners.
+  * If you only **clicked**: **Disconnect** → **Close browser** → **Clear data** → **Scan device** → **Change passwords** (if prompted/logged in). **Report it**.
-  * Not auto-flagged as suspicious by your mail client.
+  * If you **entered any info**: **Change that password NOW (from a different device)** → **Enable/confirm MFA** → **Sign out of all sessions** → **Remove risky mail rules / app tokens** → **Notify bank/IT** → **Report it**.
 ----
-===== 7) Verify Safely (never via email links) =====
+===== 1) Scenario A — Clicked the link, did NOT enter anything =====
-  * Open the website/app yourself from a **saved bookmark** or by **typing** the address.
+**Within 10 minutes**
-  * Call/message the sender using a **known** number/channel (not the email’s number/link).
+  - Disconnect from the internet (Wi-Fi off / Airplane mode) if anything started to download.
-  * For payment/bank-detail changes: perform a **voice check** with your contact.
+  - Close the tab/app. If it won’t close, reboot.
+  - **Clear only the phishing site’s data**:
+    * Chrome/Edge: Menu → Settings → Privacy → Cookies & Site Data → **See all site data** → search the domain → Remove.\\
+    * Safari (iOS/macOS): Settings/Preferences → Safari → Advanced → Website Data → search → Remove.
+  - Delete any **downloaded** file (especially `.zip .exe .js .scr .bat .ps1 .html .iso .img`) without opening.
+**Within 1 hour**
+  - Run a security scan:\\
+    * **Windows:** *Windows Security* → Virus & threat protection → **Scan options → Microsoft Defender Offline scan**.\\
+    * **macOS:** Update macOS, then run a full scan if you have reputable AV.\\
+    * **Android:** Play Store → Play Protect → **Scan**.\\
+    * **iOS/iPadOS:** Update iOS; Settings → General → **VPN & Device Management** → remove unknown profiles.
+  - If that browser was already **logged in** to email/banking, change those passwords as a precaution.
+**Report**
+  - Use **Report phishing** in your mail app and send the message to IT/security.\\
+  - Optional public reporting: **[[https://www.scamwatch.gov.au/|ACCC Scamwatch]]**, **[[https://www.cyber.gov.au/report-and-recover/report|ReportCyber (ACSC)]]**, **reportphishing@apwg.org**.
 ----
-===== 8) If Suspicious =====
+===== 2) Scenario B — You entered info on the phishing site =====
-  * Do **not** click. Do **not** reply. Do **not** forward (except to IT/security).
+Do **all** applicable items below, in this order.
-  * Use “Report phishing” in your mail app, then delete.
-  * If you clicked or entered details: **change password**, enable **MFA**, notify IT/bank, run a malware scan.
+**A) If you entered your work or personal account password**
-  * Optional: forward a copy to **reportphishing@apwg.org** or report at **[[https://www.scamwatch.gov.au/|Scamwatch (ACCC)]]**.
+  - From a **different, clean device**, go change the password **immediately**.
+  - Turn **MFA on** (or re-enrol a fresh MFA method).
+  - **Sign out everywhere**:\\
+    * Google: myaccount.google.com → Security → **Manage all devices** → Sign out of unrecognised devices; **Third-party access** → Remove unknown apps.\\
+    * Microsoft 365: myaccount.microsoft.com → Security info → **Sign out everywhere**; **Apps & services** → Remove unknown OAuth grants.
+  - Check **mail rules** and **forwarding**:
+    * Look for auto-forward to unknown addresses, reply-to changes, or auto-delete rules. Remove anything suspicious.
+**B) If you entered card or banking info**
+  - Call your bank immediately (use the number on the card/official app) → **block the card** and **dispute** any charges.
+  - Turn on transaction alerts. Consider a **temporary credit ban/freeze** with AU credit bureaus (Equifax, illion, Experian).
+**C) If you entered ID documents (driver’s licence, passport, Medicare)**
+  - Contact the issuing authority to **flag** or **replace** the document number (as per their policy).
+  - Get identity assistance: **[[https://www.idcare.org/|IDCARE]]** (AU/NZ identity support).
+**D) If you installed anything or accepted an extension**
+  - Uninstall the app/extension. Reboot.
+  - Run the scans listed in *Scenario A* (Defender Offline etc.).
+  - For managed work devices: **isolate** the device and notify IT to run full EDR scans.
+**E) Tell IT/Security (work accounts)**
+  - Send the original email (as attachment if possible) and include: your username, time clicked, data typed, files downloaded, current device state.
+  - Expect IT to: force password resets, revoke sessions/tokens, check mail rules, scan hosts, and monitor sign-ins.
 ----
-===== 9) One-Minute Flow (print-friendly) =====
+===== 3) What NOT to do =====
-  - Expecting? → From these people? → Account exists?\
+  - Don’t keep browsing the phishing site “to look around.”
-  - Check From + Reply-To domain → Hover every link → Attachment type safe?\
+  - Don’t reply to the attacker or use links/phone numbers provided in the email.
-  - Read tone/grammar/branding → Client banners OK?\
+  - Don’t reuse the compromised password anywhere else.
-  - Verify via bookmark/known number → If doubt, report and delete.
 ----
-===== Notes for Admins (optional) =====
+===== 4) Aftercare (next 24–72 hours) =====
-  * Add your internal report address here: **security@yourdomain.tld**\
+  - Watch your inbox for password-reset emails you didn’t initiate.
-  * Add your policy page link here: **[[https://portal.yourdomain.tld/security-policy|Email Security Policy]]**\
+  - Review recent account activity/sign-ins; enable **login alerts**.
-  * Train users to screenshot headers when reporting.
+  - For banking: monitor transactions; keep your case reference from support.
+  - Consider a **security check-up** (Google/Microsoft account security pages).
 ----
-==== Extra Guidance ====
+===== 5) Optional: Template to report to IT =====
+(see [[https://wanip.io|wanip.io]] for info below)
+> **Subject:** Possible phishing — clicked/entered info
+> **When:** YYYY-MM-DD HH:MM (local time)
+> **From address of email:** (copy/paste)
+> **Link hovered/visited:** (full URL)
+> **What I did:** Clicked only / Entered password / Entered card# / Downloaded file (specify)
+> **Device & OS:** (e.g., Windows 11 laptop)
+> **Browser:** (e.g., Chrome)
+> **Actions taken so far:** Disconnected, cleared site data, Defender Offline scan, changed password, enabled MFA, notified bank, etc.
+> **Attachments:** Original email (.eml/.msg) and any screenshots.
+----
-Phishing can (and does) originate from every country and from generic TLDs (.com, .net, .xyz, .top, etc.). If you still want a country→URL code map for filtering/awareness, use this rule plus the few exceptions below.
+===== 6) Quick Reference (one-minute flow) =====
+  - Clicked? **Disconnect → Close → Clear site data → Scan → Report.**\
+  - Entered info? **Change password (other device) → Enable MFA → Sign out everywhere → Remove mail rules/OAuth apps → Notify bank/IT → Report.**