Tech Sense July 2023: Phishing
Updated: 4 days ago
This month I thought I would revise an article I wrote about three years ago. This year I am thinking about my vacation and fishing, so I thought about writing about phishing. I wrote the original article in September of 2020. I thought it might be a good time because some major recent attacks have occurred through fishing.
Phishing is a form of social engineering where the goal is to collect sensitive information about a person using subterfuge. Normally this is done by mimicking a company or a person through communication channels like email, text messages, or spam telephone calls. The amount of compromised personal information over the years allows these perpetrators to personalize the communications making them appear authentic.
Spear phishing attacks target specific individuals or small groups of people. These attacks typically include specific information to make the communication seem to be legitimate. The information they are trying to collect includes passwords, social security numbers, bank account numbers, and credit card numbers. Sometimes phishing emails have been used to have direct payments sent to the criminals or to infect your computer with malware allowing the criminals to collect the information quietly as you use your computer or phone.
You may receive an email from a bank, it might even be a bank that you use. The email says your online access to your account will be blocked unless you act now and verify your credentials. They may even show the first few digits that appear on the bottom of your checks. A button says click here. When you click, you are brought to what seems to be the logon screen for the bank. You type in your login id and password. At this point you have been compromised. The screen may show an “account not found” error page and ask you to log in again, in which case it redirects you to the real bank site and you log in not realizing you have already been hijacked.
This is just one example of how an email phishing attack may work.
Other messages may appear to be job offers, offers of gifts, or for a gift card by filling out a survey. There is no job, gift, or gift card. These messages may even reference friends and acquaintances since they may have been hacked as well. Something like; I just spoke with our mutual friend Sally, and she thought you might really like this lipstick, so I sent you a link to get a free sample.
So how do you protect yourself? First make certain that your email service provides a spam filter. If you are using Gmail, Yahoo, AOL, MSN, or Outlook these large providers will automatically recognize a lot of these emails and filter them out marking them as spam. Many email services block images and links for email senders that are not recognized. Even so a few dangerous emails will still get through.
For these, look at the full email address of the sender, not just the name. Does the part of the email address after the @ match the domain? If the mail claims to be from mybank.com does the email address have @mybank.com at the end? If not, it is suspicious, don’t open it; just mark it as SPAM.
Look for misspellings and grammatical errors. Most business communications are carefully reviewed before being sent. Scammers often have limited experience writing in English and typically make errors. If you see these errors, the message is suspect.
Never click on a link or image in an email even if it is from someone you know. If you recognize the business, then go directly to their website by typing the URL in the browser address bar. You can also use a whois service to lookup the domain.
If you are positive, you know the person (remember their email may have been compromised) contact them and ask them to verify the email and then copy and paste the URL into the browser address bar. Again, do not click the link that appears in the email.
The issue with phishing has become so dangerous for companies; they have started to send fake phishing messages to their employees to help them learn to recognize the threat. If an employee clicks on a link or otherwise responds to the phishing message, the employee gets training, learning to recognize these types of emails.
To further protect yourself, make sure you are using Multi-factor Authentication (MFA) on all of your important accounts. MFA will require that you enter a number generated by an authenticator application like Authy or Google Authenticator or receive and enter a number received by text message, email, or a voice message over the phone. Also, be prepared to change your password if fooled into revealing it to a fake website.
Phone phishing has become much more serious as well. Today almost all SPAM calls are phishing. This includes callers claiming to be from the cable companies, utility companies, and solar roofing companies. Just hang up. If you think there might be a chance the call is real, tell them you will call them back and then call the listed number for the company, not a number that the caller offers. Never give them bank or credit card numbers, even if they say you need to pay the bill. You might get a call that claims you are late on your bill and you need to pay it immediately, and you can pay with a credit card over the phone, or even pay with gift cards. Just hang up and call the real company if you think the story might be true (it will not be). If you have a phone blocker, add this number to the block list.
Do not give donations over the phone to anyone that calls you. If you feel the cause is worthy, ask them to send you information in the mail telling them you will decide then and will mail a check. Do not commit to an amount. I also suggest you look up the calling organizations; many are actually political action committees or other frauds and not charities.
Never purchase gift cards to pay someone who calls you. Legitimate organizations do not accept gift cards as a form of payment. Never put cash in the mail even if they tell you “Your nephew was arrested in a remote city and needs cash for bail”. Never meet someone to pay a debt someone calls you about on the phone.
Text Message Phishing
While less common, SMS and MMS text messaging services are also used for phishing attacks. If you do not recognize the source of the message, then block it on your phone. If you continue to get messages from the same source reply with the word STOP. If the messages continue contact your phone provider. Do not reply except with a simple STOP. Do not give the sender any information, do not follow or touch any links. Most of the phone companies are offering free blocking of text messages once you have marked the messages as SPAM.
Whenever I receive spam mail, I label the email as junk mail so that any further emails from the company would immediately go to my SPAM folder.
Next month is “Back to School” and then I hope to start a series on Spreadsheets. Until then, keep your information private, and stay safe and healthy.