In an age where e-mail reigns as the major form of communication, people are finding more creative ways to obtain your personal information. Technology evolves and so do the minds of those scheming email attacks. This is why many of us get hooked by “phishing” emails.
Webopedia defines Phishing as “the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.”
Phishing attacks that are directed at someone in a more personal manner, rather than millions, are also known as Spear Phishing because they are aiming at a particular target. These are more difficult to identify as malicious because many times you will see a lot of information that ‘looks’ legitimate. It may contain information that may be relevant to your job or a company/service you may use.
You may receive an email that says it is from a company you have done business with or even your bank. It may be addressed to you by name and show that a recent transaction could not be completed and to “please click the link below to get more information.” Once you click the link, however, you may have already done the intended damage without being aware that the link was malicious. It could also go further by taking you to a website that looked safe and asked for personal/account information.
Another popular example that would be common in the work place would be someone sending you a ‘secure’ attachment to download or unzip. These types of attacks work similar to above where you think you are unzipping a secured file when in fact it is an executable file that will harm your system and possibly others.
So how do you not take the bait? There are several precautions you can take that will make you a harder catch.
- Look for bad spelling and grammar. While sometimes subtle, these can be the best indicators.
- Be wary of any hyperlinks that they instruct you to click on. One way to see if a link is suspicious without actually clicking it is by moving your mouse curser over the link. If you’re using a webmail client like Yahoo Mail or Gmail, look at the bottom right corner of your browser. This will show you the web address the link will take you to if you were to click on it. Take care in reviewing the spelling of these as well. Some have been known to omit a letter to look close to the real thing. For example: “www.microsoft.com” vs “www.micrsoft.com”. Pretty sneaky, yes?
- Be very cautious of an email that is asking for any personal information. Legitimate companies will not do this via email unless you are actively purchasing something from them or registering for an account. Legitimate Web sites use Secure Sockets Layer (SSL) or other security technology to help protect the personal information that you enter when opening a new account and when signing in to the site thereafter. Security is indicated on your browser’s status bar by a lock icon. Additionally, the Web address is preceded by https:// (note the “s” after http which stands for secure) instead of the usual http:// in the browser’s Address bar.
With all this in mind, here are a few rules of thumb to help you in the future:
- Don’t click links in emails that look suspicious.
- Do not download attachments from people you don’t know.
- Never reply to emails that request personal information.
- You can also help by reporting any phishing attempts to firstname.lastname@example.org.
Image source: http://tinyurl.com/n39ebhj