Sunday, June 28, 2015

How to catch a phish

Email and SMS texting inboxes everywhere are full of spam and phishing messages. The goal of each is to social engineer* you into clicking a link, opening an attachment or responding with personal identifying information (PII) about yourself.

In many cases, just replying to a questionable email message (or text message) is enough to get you added to a database owned by spammers or tricksters. Why? Because by responding you're letting the sender know that your email address is "live" and being monitored by a human. That's why it's called phishing—if you reply, click the link or open the attachment, you've taken the bait.

Phishing attempts also occur by phone and, albeit rarely, in person; so it is important that we remain on the alert for these social engineers at all times. These guys are getting better and better at composing fake messages that appear to be from someone you know or some organization that you do business with. Know that it is very, very easy to "spoof" the name of the sender on the "From:" line. Anyone can fake the name that appears in that field in the message. Just because it says "From: Aunt Geraldine," doesn't mean that your Aunt Geraldine initiated, wrote or sent the email to you.

How can you tell when an email message might be an attempt at social engineering?

Remember, it's not always easy to tell if a message is safe. But, if you have any suspicions whatsoever about a message, treat it as suspicious until you are 100% convinced otherwise. Here are some potential red flags:
  • The message is unexpected.
  • The message is unwanted.
  • The message is alarming.
  • The message contains a hyperlink.**
  • The message contains an attachment—a file that you can click to open (which is essentially the same thing as downloading the file to your machine).
  • It appears that the message is from someone you know, but the language, tone, or verbiage is unusual; it just does not sound like something your acquaintance would say or write.
  • The grammar or spelling is bad, as if written in a language other than the writer's primary language.
  • The email tells a story about someone you love being in jail or other dire straits.
  • The message is regarding a dire emergency requiring funds.
  • The message is asking for funds. Period.
  • You have won something.
  • You need to reset your password.
  • You're over your email storage limit.
  • You have a delivery. (UPS and FedEx do not email you unless you sign up for delivery notifications. Even then, be wary of such notifications if any part of them is out of sorts.
If any of these things raise a hair with you, investigate the email more closely before proceeding; or, unless it might be extremely important (and valid), delete it.

Any more tips?

  • Use a very strong password on your email account, and make sure it isn't the same as any of your other passwords. 
  • Avoid using Hotmail or Yahoo email accounts. (Those seem to be the most hacked email accounts out there, but don't quote me on that. Any account using weak credentials like a short password can be hacked.)
  • Enable spam filtering. Providers like Google enable spam filtering automatically—or allow you to configure your email settings yourself to enable it. Many Internet service providers (ISPs) that provide you with broadband access in your home (like your cable or phone company) offer spam filtering. If not, there are plenty of reputable anti-virus (AV) software companies that provide spam filtering with their AV software.
  • Don't open email messages that land in your spam or Junk email folders. Delete these unless you are 100% certain that they are not, in fact, spam or suspicious.
  • If you receive a lot of unwanted SMS text messages, check with your cellular service provider about blocking these.
  • In email, redirect suspicious emails to your spam folder or Junk folder. (See your email service provider or email client application provider for instructions.)
  • If you are able to determine that an unsubscribe link provided in an email is safe to click, use it to be removed from a marketing email list. When in doubt, do not click; call the vendor instead.
  • Delete, delete, delete.

*If you are not familiar with social engineering, read this truly informative book by former hacker Kevin Mitnick: The Art of Deception. Everyone should read this book. Your children should read this book when they are old enough to understand the concept of deceit, scamming and trickery.

** Consider living by this rule: Never click links in email or text messages. Until/unless you are tech savvy enough to determine the real URL behind the link and know whether that URL points to a trusted domain or not, it's better to launch your web browser and navigate to the known web site yourself instead of clicking an inline link.

No comments:

Post a Comment