How to Protect Yourself from Phishing

Thanks for subscribing to our newsletter!  As promised, here is how you can protect yourself from “phishing” attacks:

Contents

Geek For Hire provides onsite service throughout the Denver/Boulder Front Range for Mac’s and PC’s
(and printers, and routers, and viruses, and….)

Call us for an appointment:

(303) 618-0154

Phishing – What is it? Definition from Wikipedia  (emphasis is mine)

  • Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
  • Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate one and the only difference is the URL of the website in concern. Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that distribute malware.
  • Phishing is an example of social engineering techniques used to deceive users, and exploits weaknesses in current web security.

Phishing – What is it? Definition from the SEC   (emphasis is mine)

  • “Phishing” involves the use of fraudulent emails and copy-cat websites to trick you into revealing valuable personal information — such as account numbers for banking, securities, mortgage, or credit accounts, your social security numbers, and the login IDs and passwords you use when accessing online financial services providers. The fraudsters who collect this information then use it to steal your money or your identity or both.
  • “When fraudsters go on “phishing” expeditions, they lure their targets into a false sense of security by hijacking the familiar, trusted logos of established, legitimate companies. A typical phishing scam starts with a fraudster sending out millions of emails that appear to come from a high-profile financial services provider or a respected Internet auction house.
  • “The email will usually ask you to provide valuable information about yourself or to “verify” information that you previously provided when you established your online account.”

What do they hope to gain?

By obtaining your personal info, “phishers” can:

  • Take over your email and spam your contacts with phishing emails
  • Use your credit card or withdraw funds from your bank account
  • Insert viruses or other malware into your computer (Yes this can happen even on Mac’s!)

What you need to do

  • Part of keeping yourself safe from phishing is being aware. You should scrutinize each email and text message you receive before replying or clicking on any link.
  • Especially if you have a business, you need to make sure that a “phisher” doesn’t send out messages that look like they’ve come from you.
  • Knowing what to look for is the first step in keeping safe. Follow the tips on the next few pages.

The email “SUBJECT”

  • Does it make sense?
    • “Message for you 50iR”
    • “Your SIM deactivated”
    • “iC756310237”
  • Does it match the text of the email?
  • Is it inflammatory, alarming, or “too good to be true”?
    • “Your Mobile number is deactivated in all bank accounts”
    • “We need you to confirm your email right now”
    • “Success at Last!”
    • “Invoice #12345”
    • “Important, View Attachment”

The email “TO” address

  • Who is the email addressed to?
  • Is it sent “TO” you or are you bcc’d?
  • Is it to an email that you seldom use?
  • Is the email “TO” address nonsensical?

The email “FROM” address

  • Is it from a real company?
  • Is it from YOU? Has the sender spoofed the “FROM” address to appear that you sent this email to yourself?
  • Is it a corporate email, or from gmail, yahoo, or other free email address?
  • Look closely at the info to the right of the “@” sign. Does it end in “.com”, “.gov”, or “.edu”?  Or does it end in “.jp”, “.ir”, “.ru”, “.ng”, or another two letter country code?

The salutation

  • Is the salutation appropriate for the relationship you have with the supposed sender?
  • I’ve received “business” emails which begin:
    • “My dear”
    • “Belove one”
    • “Dearest”
    • “Greeting to you”
  • Most legitimate companies use some sort of mail merge and may include your name in the greeting. Most legitimate businesses will NOT include a salutation.

The main body of the email message

Most corporations will send all messages through their Communications department, and will generally not have any errors. Read the message carefully!

  • Check for spelling errors – is the company name spelled correctly? Are there other obvious spelling errors?
  • Check for grammatical errors – are the tenses correct?
  • Check for punctuation errors – are spaces used unnecessarily? Are there random parentheses or arrows?
  • Is the company name spelled correctly?

Links to websites and phone numbers

  • In general, never click on links within an email.
  • If you are viewing emails on your phone, wait until you are on your computer before clicking on any links, or replying.
  • Once you are in front of your computer, hover over the link to see the actual URL. Is it Amazon.com, or Amazom.com?  Is it from GoDaddy.com or Goddypuddy.in? Is it Rackspace or Rack space? Watch the spelling, the spacing, and everything to the right of the @ sign!
  • Never click on a shortened link. You can’t really tell where it will be redirected. That applies to clicking on links on Facebook, LinkedIn, Twitter, Instagram, etc. too! These include “bit.ly”, “goo.gl”, “ow.ly”, “buff.ly”, &“tinyurl.com”

The closing

  • Just like the salutation, the closing of an email can be telling.
  • Some of the messages I’ve received end with:
    • “Wishing you much peaceful”
    • “Favorite wishes”
  • Does the signature line include the person’s phone number, email, and address? Self-identification helps to make sure the message is legit! When you hover over any of their linked info, does it go where it says it will?

Tips from Trend Micro

  • Here are some recommendations to help protect users from falling victim to phishing scams.
  • Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.
  • Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.
  • As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.
  • Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.
  • Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.
  • Users should not be frightened or intimidated by messages that have an alarmist tone.  They should double-check with the company if they are uncertain about the status of their accounts.
  • Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.
  • Although not every end-user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.
  • Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.
  • Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.
  • It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.
  • If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/best-practices-identifying-and-mitigating-phishing-attacks

Other Tips

  • Look over each email carefully
  • If the message is from a friend and includes an unexpected attachment, call them to be sure they sent it. (Use a different channel for confirmation.)
  • Always hover over any links before clicking to make sure it will take you where you expect to go.
  • If it looks like it might be a fake message, but you’re not sure, contact the company directly. Use a website or phone number you already have.  Don’t click on the links or call the phone numbers listed in the email.

More Tips

  • Remember to change your passwords frequently. The passwords for your bank accounts and email, especially, should be changed at least once a month.
  • If you have been hacked, immediately change your passwords using your smartphone, tablet, or a different computer.

Conclusion

  • Do you think you may have been hacked? Give us a call to clean up your machine!
  • Do you have a great anti-virus? We’ve been using and recommending this one for years. Even the best anti-virus won’t catch all malware, but this one does a great job.