Gone Phishing!

So, you’ve just gotten an email from eFax saying there is an important fax waiting for you? Not so fast, bub. Something from your bank saying you’re overdrawn and your account is frozen? Hold the phone! The IRS says you owe back taxes?? WHOA!! Don’t touch that mouse!

All of the above are collectively known as “Phishing,” i.e. the sending of fraudulent emails intended to trick you into giving your personal information to some lowlife, who will proceed to make your life miserable.

This is usually done by including a link in the email that will take you to an allegedly legit site, but it’s a fake site that just looks legit. Sometimes, it’s a poisoned attachment instead, but (hopefully!) most of us know by now not to open unsolicited attachments.

Phishing comes in a number of different forms.

  • One common approach, although not the most effective, is the “Dear Bank Customer” ( or Amazon, or Paypal, or any other site) that tells you there is a problem with your account and asks for your passwords or other personal information.
  • Spear Phishing targets a particular individual or company. An attacker can gather enough information about the person or company to increase the success rate. This form of attack is more likely to catch someone than the “Dear Customer” type.
  • Clone Phishing takes a legitimate email and “clones” it, changing only the link to that of a nefarious site instead of the real one.

There are many tricks the Phishers use; for instance, for those of us who actually look at the url address in our browsers (always a good idea!), the address may say

thebank.badguy.com.

You’d think that this is a section of the “thebank” website, but it’s actually a section of the “badguy” website, and has no relation to the “thebank” website other than name. Look at your address bar now. It starts with https://thegizmologist.wordpress.com. The website is wordpress.com, and the “thegizmologist” is my blog space on wordpress.com. Now if you look at my website: http://thegizmologist.com/html/blog.html, notice the sections of the site are separated by slashes instead of “dots.” There’s the difference. thebank/badguy.com is “the bank’s” website (maybe with an article on how not to get scammed), while thebank.badguy.com is the “bad guy’s” website. What a difference a dot makes!

There are many ways to defend against phishing.

  • The most important, from the standpoint of the end user, is to pay attention. If the grammar is bad, the email is impersonal (Dear PayPal customer), it promises dire consequences if you don’t act Right Now, the sender’s address is strange looking, or anything else makes you the least bit uncomfortable, it’s probably not the real thing. If you’re worried it just might be legit, close your email, and type the company’s web address in your browser rather than clicking a link.
  • If you hover your mouse pointer over a link, the bar at the bottom of your web browser or email program will tell you where the link actually leads. If it looks like it leads somewhere other than where it says it leads, don’t go there! See Clone Phishing.
  • The best thing you can do is label all such as spam and delete immediately. Some email systems allow you to specifically label an email “Phishing.”
  • Any legitimate banking site will have it’s address start with https://, not http://. The extra “s” stands for “secure,” and there will usually also be a “padlock” symbol next to the address. Some shopping sites will only have their cart and checkout sections secure. Never enter any personal information unless you see “https.”
  • Some internet security suites have “anti-phishing” filters built in, which may help.
  • The Web of Trust, which I’ve talked about before, won’t stop the emails, but can be very helpful in identifying bad sites, including known phishing sites.

Finally, phishing is not limited just to email. Those phone calls from “Microsoft Technical Support” are the same sort of thing. There has also been some phishing via snail mail, although those are rare since postage can run into serious money.

For more information:

https://en.wikipedia.org/wiki/Phishing#List_of_phishing_types

For even more empowering technology info, read my new book, “Deciphering the 21st Century,” Available now!

Click here to read all about it.

Follow me on Twitter:

I’d love to hear your comments!

Advertisements