Security and Privacy

How Not to Go Phishing

What is phishing?

Phishing is the act of trying to secure information from someone by impersonating someone else in an electronic communication, such as email. It is common for attackers to send out emails with links or attachments that attempt to secure information from you or even take control of your computer.

Why should I care about phishing?

By email, attackers use phishing to get access to your sensitive and confidential information.  It is common practice for the attackers to impersonate a trusted person or company in an attempt to collect enough information to steal your identity or confidential information from your employer. These emails can also include attachments that can contain malware that can affect your computer when clicked on.

Attackers are very sophisticated these days and can easily set up bogus websites that steal your information without you even realizing it or you realize it too late. For example, an attacker can send you a link to a very real looking but “fake” website, prompting you for information (ie. name, address, telephone, bank account information, credit card information, social security number) that they can use for personal gain.

List of phishing techniques

  • Phishing
    • Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.
  • Spear Phishing
    • Phishing attempts directed at specific individuals or companies have been termed spearphishing. Attackers may gather personal information about their target to increase their probability of success.
  • Clone Phishing
    • A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a re-send of the original or an updated version to the original.
    • This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email.
  • Whaling
    • Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.

How can I spot a phishing attempt via email?

  • Determine who is sending the email. Is it from a trusted source? Or is it from an address that you don’t recognize?
  • Is the sender asking you to click on a link? Or open an attachment? Scrutinize it before taking any action!
    • If links are provided, hover over it to determine where you will be directed to. If the email is from a known entity but the link is taking you to somewhere else, do not click on it. This will let the sender know that they reached an active email address and may continue to target you in future phishing attacks.
    • If an attachment is included, only open it if you trust the sender. You can always scan for viruses prior to opening it, to ensure that it does not contain a virus.
  • Pay close attention to the email of the body. If you spot misspellings or bad grammar, be cautious.

 What to do?

  • Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Legitimate companies don’t ask for this information via email or text.
  • The messages may appear to be from organizations you do business with – banks, for example. They might threaten to close your account or take other action if you don’t respond.
  • Don’t reply, and don’t click on links or call phone numbers provided in the message, either. These messages direct you to spoof sites – sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
  • Area codes can mislead, too. Some scammers ask you to call a phone number to update your account or access a “refund.” But a local area code doesn’t guarantee that the caller is local.
  • If you’re concerned about your account or need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.

Report Phishing Emails

Forward phishing emails to spam@uce.gov – and to the company, bank, or organization impersonated in the email. You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing.

If you might have been tricked by a phishing email:

  • File a report with the Federal Trade Commission at www.ftc.gov/complaint.
  • Visit the FTC’s Identity Theft website. Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.
Enhanced by Zemanta
Advertisements

One thought on “How Not to Go Phishing”

Share your thoughts

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s