Don’t take the bait: Tips to help prevent phishing
I received an email recently that appeared to be from UPS, alerting me to a delivery. It looked perfectly legitimate and I was waiting for a package, so I nearly clicked through — but realized just in time it was a phishing scam.
The Anti Phishing Working Group reported that phishing scams increased during the first three quarters of 2015. Losses due to these scams run into billions of dollars, not counting the unquantified losses related to sensitive or commercially valuable data.How phishing works
Phishing emails look like official communications from real companies, but they aren’t. They’re imitations. By posing as a trustworthy entity, the scammers want to fool you into giving them valuable information, such as your usernames, passwords, and credit card numbers. They may also be trying to infect your computer by directing you to a website full of malware, again giving them access to your personal information or sensitive information relating to your business.
Watch for common phishing tactics, often emails purporting to be from popular social web sites, auction sites, banks, online payment processors, and IT administrators. Instant- and text-messaging can also be used. The spoof communication will often direct users to enter details at a fake website whose look and feel are almost identical to the legitimate one.Spear phishing
A variation on this scam is spear phishing, as it’s more targeted. These types of emails seem to come from a trustworthy source. This kind of attack is usually aimed at obtaining access to confidential data. These are typically not random attacks but are more likely to be conducted by perpetrators out for financial gain, trade secrets, or military information. The criminals may also intend to install malware on a target’s computer.
Cybercriminals may have done a lot of research to help their communications appear genuine, often personalizing their approach using social engineering techniques. These scams are becoming more difficult to detect because they are often cleverly customized. Even high-ranking targets within organizations, like top executives, can find themselves opening emails they thought were safe. That slip-up enables cybercriminals to steal data they need.7 tips to help you
- Keep your inbox tidy, to make it easier to spot a phish. Start by unsubscribing from offers and newsletters you don’t really want.
- Look closely at emails, including URLs (see below for more on this).
- Delete suspicious emails.
- If you receive a questionable email, contact the business directly to verify the message.
- Always go directly to websites you want to visit rather than clicking a link.
- Never open attachments or links in emails from unknown senders.
- Also be on guard with emails from people you know. If it seems suspicious or contains a seemingly random link, it may have come from a hacker impersonating someone else.
Several recent phishing attacks have been directed specifically at senior-level business targets. Known as whaling, spoof emails are often very convincingly crafted to target individual employees. The email might take the form of a legal subpoena, customer complaint, or executive issue, apparently from a legitimate authority. The executive is fooled into going to a site infected with malware to enable the theft of sensitive information. To help prevent this, raise awareness among your employees that unsolicited emails should always be treated with suspicion, and encourage everyone to complete security awareness training. See also my recent post on masquerading.Checking URLs
Phishing emails often try to take you to fraudulent websites. But the fraudulent site can’t have the same URL as the genuine website. To check the URL, hover on the link you’re thinking of clicking, and you should see the URL displayed. As an example, a Bank of the West URL will generally have: http://www.bankofthewest.com as part of the URL. A phishing URL, however, might look something like this: http://bankofthewest.otherdomain.com. In this case, “bankofthewest” is attached to another domain name (otherdomain.com). URLs like this are the ones to avoid.
Phishing attacks are increasing because they are often successful. Being alert and using the tips and information above can help you avoid being vulnerable to fraud and theft of your information.