Tech Sense: Phishing Attacks by John Bell
Continuing our series on security and privacy protection this month, we look at phishing. Phishing is a form of social engineering where the goal is to collect sensitive information about a person through the use of subterfuge. Normally, this is done by mimicking a company or a person through communication channels like email, text messages, or spam telephone calls. The amount of personal information that has been compromised over the years allows these perpetrators to personalize the communications making them appear authentic. Spear phishing is an attack that is targeted to a specific individual or small group of people and typically includes specific information to make the communication seem to be legitimate. The information they are trying to collect includes passwords, social security numbers, bank account numbers, and credit card numbers. Sometimes phishing emails have been used to have direct payments sent to the criminals or to infect your computer with malware allowing the criminals to collect the information quietly as you use your computer or phone.
You may receive an email from a bank that might even be a bank that you use. The email says your online access to your account will be blocked unless you act now and verify your credentials. They may even show the first few digits that appear on the bottom of your checks. A button says click here. When you click you are brought to what seems to be the logon screen for the bank. You type in your login id and password. At this point, you have been compromised. The screen may show an “account not found” error page and ask you to log in again, in which case it redirects you to the real bank site and you log in not realizing you have already been hijacked. This is just one example of how an email phishing attack may work.
So how do you protect yourself? First make certain that your email service provides a spam filter. If you are using Gmail, Yahoo, AOL, MSN, or Outlook, these large providers will automatically recognize a lot of these emails and filter them out marking them as spam. Many email services block images and links for email senders that are not recognized. Even so a few dangerous emails will still get through.
For these, look at the full email address of the sender, not just the name. Does the part of the email address after the @ match the domain? If the mail claims to be from mybank.com does the email address have @mybank.com at the end? If not, it is suspicious, don’t open it; just mark it as SPAM.
Look for misspellings and grammatical errors. Most business communications are carefully reviewed before being sent. Scammers often have limited experience writing in English and typically make errors. If you see these errors, the message is suspect.
Never click on a link or image in an email even if it is from someone you know. If you recognize the business then go directly to their website by typing the URL in the browser address bar. You can also use a whoIs service to lookup the domain.
If you are positive you know the person (remember their email may have been compromised) contact them and ask them to verify the email and then copy and paste the URL into the browser address bar. Again, do not click the link that appears in the email.
Text Message Phishing
While less common, SMS and MMS text messaging services are also used for phishing attacks. If you do not recognize the source of the message then block it on your phone. If you continue to get messages from the same source, reply with the word STOP. If the messages continue contact your phone provider. Do not reply except with a simple STOP. Do not give the sender any information, and do not follow or touch any links.
This morning I received an unsolicited email from a company wanting me to send an order for custom manufactured circuit boards. I checked out the domain and discovered that the company website was not listed on Google and the domain was registered just last year in China, not Japan where the company claimed to be located. I labeled the email as junk mail so that any further emails from the company would immediately go to my SPAM folder.
Next month I think I will discuss phone phishing and how several scams that are operating in this area work. Until then, keep your information private, and stay safe and healthy.