Vendor-Tech

Operational Excellence with Technology

Phishing Anyone?

No, it’s not time to enroll in your local bass fishing tournament.

This article is about a different kind of fishing, spelled phishing. When spelled phishing, it’s referring to when someone tries to get sensitive information from someone else by posing as someone they're not.

As P.T. Barnum is credited with saying “There's a sucker born every minute," which is what people or groups doing phishing are hoping unsuspecting recipients will be.

You don’t want to be one of them.

Most phishing has taken place through email, but more and more phishing attempts are being made via social media, such as Facebook.

Facebook phishing attempts often appear as wall posts of a friend, or from a friend, that mimic those automatic postings many websites now include as part of a sign up process. When you click on the link supplied, often a malicious app is installed into your Facebook profile. Alternatively you are taken to what looks like a legitimate website and asked to complete a form that includes the sensitive information the person doing the phishing is after.

Very often a phishing email will appear to be from some bank or other institution you might have an account with. Very recent phishing emails have even appeared to be from the IRS, which pretty much never is willing to send any information via email.

Visually, a phishing email will usually look like it’s from the real source. Getting accurate visual elements is easy since they can be copied from legitimate emails or the company’s website.

Sometimes, if the phishing email is not sophisticated, you might notice slight grammar or spelling mistakes.

Other times, the phishing is sophisticated and the message you get looks like it from the legitimate source in every way.

That makes it really tough to know if a given email is legitimate or not.

And the link you clicking will actually appear to be legitimate, taking you to a site that also looks just like the one you might be expecting.

Often the only clue is the URL (web address) isn’t “quite” right. For instance, the web address you are expecting is www.example.com and the actual link is to a web address like www.example.co or www.example.com.ag.

Another common ruse is to show the legitimate web address like www.example.com, but the hyperlink actually is a different web address, taking advantage HTML’s ability to have any text link to another place like this link (which will take you to www.example.com).

Plus the email will appear to come from the legitimate source, taking advantage of the SMTP “flaw” of being able to spoof, or forge, email headers, which include the from address. Often this forging is so sophisticated that you can only see the real sender’s identification if you can see the entire email header records, which most email programs hide.

So how to you avoid getting hooked?

The best defense is a healthy dose of paranoia, especially when it comes to emails and Facebook posts.

After clicking on a link that supposed to have shown me additional Facebook analytics that installed an app I still can’t uninstall, I now pretty much ignore any wall posts on my profile, or any friends’ profile, that might be interesting. If a post sounds really interesting, I’ll use Google to find the legitimate URL for what’s being offered.

Similarly, I never, ever click on any link in an email that might be from any institution that I might have an account with. I’ll manually type the web address into my web browser. More and more legitimate emails from financial institutions, etc. don’t include a link, but direct you to manually go to their website using the main web address.

And beware of emails purporting to be from a company you don’t do business with. What prompted this article was an email from a domain registrar about my domain renewal. The problem was all my domains are registered with one company, and it wasn’t the company that sent the email in question. Had I clicked on the link and “renewed” my domain, I would have been actually starting a transfer to the new company and you can bet it wouldn’t have been at the great rate I get on domain registrations. And I might end up finding I don’t even own my domain any more, if I had authorized the transfer I might not have noticed the domain owner also was changing.

If you accidently follow a link you shouldn’t have, and gave some information you shouldn’t have, the first thing you should do is log on to the legitimate website and change your password. While you are there, check to see if the phishing has already accessed your account. Of course, if they have changed your password before you got there, get on the phone right away! Even if all you can accomplish right away is to get your account locked while they sort it out, at least you are minimizing future damage.

And go to any other websites where you might have used the same password and change the password for all those sites. Most people use the same password over and over, and these identity thieves know that. In fact, the account that was compromised might not be their real target. I know better and have to admit that I have a more limited selection of passwords I use. I have been a whole lot better than I have been in the past, but I still have a lot of accounts with shared passwords.

The bottom line is the bad guys are trying harder, and far more often, to steal valuable information from you. You have to be ever vigilant.

Blog Tags: