Phishing and other unsavory scams
What is 'Phishing'?
Phishing is similar to fishing in a lake, but instead of trying to capture fish, criminals/hackers attempt to hook you and collect your account information or personally identifiable information (PII) through the use of carefully crafted emails or social media (Facebook, twitter, etc.) links.
The methods might include impersonations of a friend, important colleague or a well-known organization. They might contain a "get rich quick" scheme or a threat of punishment/fine. The more refined attacks contain organizational logos and graphics to add legitimacy. They can be very convincing and their goal is to get a few of us to click their links or open their attachments to infect our systems.
Phishing is not Spam.
Phishing differs from Spam (not the Hormel product) in that spam is unsolicited bulk email, typically a form of advertising, without a "payload" (attachment) or link to a website that could deliver malware. Phishing is designed to get the recipient to "take the bait" and put themselves at risk. Here is some information on dealing with Spam.
Variations of Phishing
- Vishing (AKA Phowning) is where the attacker uses Voice over Internet Protocol (VOIP): a phone system. This might be a call to prospective victims with an automated phone system or a message sent which directs victims to call an automated system which will then attempt to collect their account information or PII.
- SMiShing is where the attacker uses SMS (texting) to convince a victim to download malware (viruses, etc.) onto their computing device.
- Pharming is the redirecting of legitimate websites to bogus websites set up with malware or which directly prompt users for PII to perform identity theft. Alternately, "Pharmed" sites could be set up by Hacktivists to place a political propaganda message.
- Spear phishing uses email, purportedly from someone you know (in your organization) to ask you to click a link or download an attachment or file containing malware to your computer.
- Whaling is a form of phishing that targets executives and other high-profile targets in an organization.
What should you do? Learn how to:
Phishing is not always easy to identify but there are a few key elements you can look for that may be key indicators that a message is Phishing:
- The message has some type of urgency.
- The message may imply some sort of reward or ability to stop a “penalty”.
- The message is unexpected
- The message does not address you by name
- The message does not contain a signature block or similar info identifying the sender
- The message asks for your user id, password or other personally identifiable information
- The message looks like it may come from a trusted (or known) source such as:
- A government agency (IRS, US Postal Service, FDIC, etc.)
- A large nonprofit organization (Red Cross, etc.)
- A bank or credit card company
- A retailer
- A service company (UPS, Fairpoint, Eversource, etc.)
- The message uses poor grammar or punctuation (this is becoming less common)
- The message has links that send you to a different web site than the known good source for the organization (i.e.: sends you to fdic.com instead of fdic.gov).
You can usually identify this by hovering over (place the mouse cursor over without clicking) the link and observing the destination location. If this location doesn't relate to the rest of the message, this is a phishing message and that site is hostile!
- The reward for responding is "too good to be true".
Respond to phishing
Once you have analyzed the message and think you may be the victim of a phishing attack, the following are the steps you should take:
DO the following:
- Report this to the actual company represented in the email (but not by clicking on the email link). Search for the company with your web browser, you can usually find a "contact us" page that may refer to phishing and spam.
- If you have a web-filter service, forward the email to them
- Send a copy to The FTC: firstname.lastname@example.org or The Anti Phishing Working Group: email@example.com
Do NOT do the following:
- Do not reply to the email. This may help tell the hacker who is affected or overwhelm a victim.
- Do not open file attachments from the email.
- Do not open links in the email.
- When all the above is done, Delete the email.
Protect yourself from Phishing.
The best defense from phishing involves a dose of skepticism. Always watch for the following when receiving emails:
Emails from unknown sources which:
- Contain an attachment or a link that they suggest you open.
- Have a different email address or link than one you believe to be legitimate (i.e.: from a US government agency but ends in .com, ends in a two-letter country code, or has a slightly different address than the one you expect)
- Have a link that does not go to the same address displayed on your screen.
- You should validate all links in emails by hovering over them with your mouse pointer and looking at the box that appears to ensure that it is sending you to the same place.
- Email content which tries to create fear or panic by WARNING you or saying LIMITED TIME or URGENT, this is sometimes associated with the threat that your account may be/has been closed or you will need to pay a large fee.
- Starts with a generic greeting like "Dear Sir" or "Dear User". This implies that they know your email address but not your name.
- Does not have a "signature block" with the senders name and contact information on it.