Salesforce highly recommends phishing education for all Salesforce users. Most cyber attacks use malware (malicious software) to infect a computer with malicious code designed to steal passwords, data, or disrupt an entire computer/network. Fortunately, you don’t need to be a security expert to help stop malware.
Phishing scams use fraudulent emails to get users to reveal confidential information. Such emails typically look as though they come from a legitimate organization and may contain links to what appears to be that organization's site (e.g., package delivery, payroll, IRS, social networking), but is actually a fake site or attachment designed to install malware and capture information. As these scams get more sophisticated, it can be tough knowing whether an email is real or fake. Below are some recommendations you should make to your Salesforce users when it comes to reviewing their email (and check out our Security Advisories page for examples of recent scams):
- Review the subject line for unexpected messages and awkward language
- Verify the person and organization (e.g., hover over the sender name and URLs, but do not click)
- Don’t click suspicious attachments (e.g., strange name or format)
- Do not give away credential information (e.g., username, password) unless you are sure the email is from a trusted sender
- Double check the language (e.g., grammar, spelling)
- Be wary of urgent and immediate messages -- especially messages asking for money
If you or any of your users are unsure about whether a Salesforce email is legitimate, forward a copy of the suspicious email as an attachment to security@salesforce.com. Please include the words "phish" or "malware" in the subject line to indicate that the email is a suspected phishing email.
For instructions on how to forward an email as an attachment using Gmail, check out send emails as attachments in Google Support.