Phishing: Don’t Take the Bait

BySheila

No, this post is not about something that is fun and entertaining. It’s not a misspelling of a relaxing sport that involves trying to catch tuna, trout, or salmon with a pole, reel and hook. Nor is it about an American rock band with a dedicated following.

So, what is phishing?

Even though it sounds like the two others, the phishing we’re talking about here is a serious cybercrime attack that casts a wide net hoping to ensnare as many people as possible using forged emails, telephone calls or texts with malicious attachments. According to the FTC, “Phishing is when you get emails, texts or calls that seem to be from people you know. But they’re actually from scammers. They want you to click on a link or give personal information (like a password) so they can steal your money or identity, and maybe get access to your computer.”

There are several variations of phishing. Spear-phishing is a more targeted attack on a specific group of people, with attached malicious documents or embedded malicious links that are carefully crafted to look valid to the recipient. CEO Fraud is a phishing variant that goes after the “big fish,” or those with the access rights to confidential data or financial authorizations to transfer funds.

There is another (even weirder!) kind of scam called dog-phishing (or dog-fishing), where someone poses with another person’s pooch on dating websites to attract matches, because it makes them seem more nurturing. According to one website, “Sure, dating is ‘ruff’ — but this is doggone wrong!”

Unlike spear-phishing attacks, CEO Fraud or dog-phishing, phishing attacks are not usually personalized to their victims, and are usually sent to masses of people at the same time. The goal of phishing attacks is to send a spoofed email (or other communication) that looks as if it is from an authentic organization to a large number of people, banking on the chances that someone will click on that link and provide their personal information or download malware.

Watch out for these Red Flags and scam tip-offs

Here are some of the characteristics of phishing attacks, to help you steer clear of phishing attacks.

  • A generic “hello” greeting. Phishing emails don’t use your name because they are sent en masse and not personalized.
  • Offers that seems too good to be true. Lucrative offers and eye-catching or attention grabbing statements and/or graphics are designed to attract attention.
  • A sense of urgency. A favorite tactic with cybercriminals is to tell you to act fast within a limited time, sometimes within minutes. Reputable companies usually give you ample time to respond.
  • Hyperlinks that aren’t what they appear to be. Hovering over the link shows you the actual URL you will be directed to when you click on it. It can be completely different of the same as a popular website with a misspelling. So look carefully.
  • Attachments to any email you weren’t expecting. Don’t open it. It could contain ransomware or viruses.
  • An unusual sender. Whether it looks like it’s from someone you know or don’t know, it anything seems weird, out of the ordinary, unexpected, out of character, a company you don’t have an account with, or just suspicious, in general, don’t click on it.
  • Sent at an unusual time. Look at the time the email was sent. Did you receive a business email at a non-business time, like at 3:00 a.m.?
  • The email content is out of the ordinary. Does it have bad spelling or grammar errors?
  • Asks for personal information. Like passwords or account numbers.

How phishing scammers can “bait” you

Even when you look out for Red Flags, scammers can still try to lure you in with their tricks and schemes.

  • Scammers use familiar company names or pretend to be someone you know. They send a text or ‘spoofed’ email or even call you in a way that makes it appear to be from a friend, family member, or an employee of a trusted organization like your bank, credit card company, government agency or phone company.
  • The bait may look and sound like a legitimate request. The scammers might even have personal information about you, like your date of birth or password.
  • They often say they need your information now, to protect your account, to help a loved one in trouble, or to confirm login or password information and warn that something bad will happen if you do not act immediately.
  • They ask you to give sensitive information like passwords or bank account numbers or they ask you to click on a link. If you click on the link, they can install malicious programs that can lock you out of your computer or enable them to gain access to use your personal or financial information, even from outside of the country.

What can you do to avoid the “hook” or recover from an attack?

Though hackers are constantly coming up with new techniques, there are some things that you can do to protect yourself and your organization. Just remember these three words:

  1. Prevent
    Keep your computer and mobile device security software up to date. And, be sure to regularly change and update passwords and authentication codes. Back up your data on a cloud-based account, so you can quickly restore information after a compromise. You can also install robust spam filters to identify malicious emails and do not open suspicious emails, links or attachments. Instead, call the organization that supposedly sent the email to see if it’s legitimate.
  2. Detect
    Detect and alert IT when an account is compromised at work. Some protection software detects both account takeover attempts and attacks launched from compromised accounts. By analyzing both historical and inbound data there is software that is able to identify behavioral, content, and link-forwarding anomalies within your organization, and to flag and quarantine fraudulent emails. You can also prevent attempts to compromise employee credentials by automatically blocking targeted phishing emails that try to harvest employee passwords.
  3. Remediate
    Remove all malicious email sent by a compromised account. Change security settings to enable multi-factor authentication. Above all, report phishing emails to spam@uce.gov… and to the company, bank, or organization impersonated in the email. You also may report phishing email to reportphishing@antiphishing.org. The Anti-Phishing Working Group, a group of ISPs, security vendors, financial institutions and law enforcement agencies, uses these reports to fight phishing. (For more information about phishing, visit ftc.gov/phishing.)

We wholeheartedly agree with Berkshire Hathaway CEO Warren Buffett, who warned in a recent interview that cyber attacks (like phishing) are a threat on par with nuclear, biological, and chemical weapon, “…having disastrous consequences beyond anything insurers now contemplate.”

That’s why it’s so important for you to prepare yourself and NOT take the bait!