Don’t Click On Strange Links: 6 Tips To Avoid Phish­ing At­tacks

ForbesWeekly - - FRONT PAGE - BY BRAD MOON, CON­TRIB­U­TOR

It seems as though we can’t go a day with­out news of an­other big data breach. Al­ready this year, we’ve had a re­ported data leak for 320,000 Time Warner Ca­ble cus­tomers, an eBay se­cu­rity flaw that has re­port­edly ex­posed mil­lions of users of that web­site to the risk of spear phish­ing cam­paigns, and the Di­rec­tor of the Na­tional In­tel­li­gence has had his email ac­count hacked by the same group that hacked CIA Di­rec­tor John Bren­nan’s email ac­count in 2015.

Many of the re­cent high-pro­file se­cu­rity breaches started with or pro­vided the means to launch so­phis­ti­cated phish­ing at­tacks. Here’s what you need to know about phish­ing and how to pro­tect your­self:

What Is Phish­ing (And Spear Phish­ing)?

The ba­sic method is for cy­ber crim­i­nals to send out a mass email con­tain­ing an at­tach­ment or a hyperlink. The at­tach­ment is mal­ware and any hyperlink will be to a web­site mas­querad­ing as some­thing le­git­i­mate. The goal is to trick the email re­cip­i­ent into down­load­ing the at­tach­ment (ex­pos­ing their com­puter to the mal­ware), or into click­ing the link to a web­site that may be in­fected with mal­ware. It may also ask for con­fi­den­tial data such as credit card num­bers to be en­tered.

The scarier ver­sion of phish­ing is known as “spear phish­ing.” This is where things get per­sonal and the crim­i­nal at­tacks an in­di­vid­ual us­ing in­for­ma­tion they’ve col­lected about them. Spear phish­ers can find per­sonal data on so­cial me­dia sites or score valu­able sen­si­tive data from a big on­line hack. That eBay se­cu­rity is­sue made it even tougher to de­tect spear phish­ing at­tacks be­cause it let the crim­i­nals ac­tu­ally dis­play their ma­li­cious web­page within eBay’s web­site, mak­ing their ver­sion ap­pear to be com­pletely le­git­i­mate.

How bad could it be? If an un­sus­pect­ing user were to click the email link, land on what ap­pears to be eBay. com (but is ac­tu­ally a ma­li­cious site) and log in as re­quested, the hack­ers now have their user name and pass­word. From there, they have full ac­cess to the user’s ac­count, in­clud­ing credit card info. Us­ing that in­for­ma­tion, they can also try log­ging in to other web­sites (many peo­ple re­use the same pass­word), email ac­counts and cor­po­rate ac­counts.

Ac­cord­ing to a 2015 Na­tional Coun­ter­in­tel­li­gence and Se­cu­rity Cen­ter (NCSC) pre­sen­ta­tion, 47% of adult Amer­i­cans had been the vic­tim of a se­cu­rity breach in the past three years and 91% of those vic­tims fell prey to spear phish­ing.

Those are scary sta­tis­tics, but here’s how you can pro­tect your­self:

1. Ask­ing for per­sonal in­for­ma­tion is a red flag.

Few (if any) web­sites, banks or busi­nesses will ask you for con­fi­den­tial per­sonal or fi­nan­cial in­for­ma­tion by email. If you re­ceive an email re­quest­ing you to sup­ply this in­for­ma­tion, you should treat the re­quest with sus­pi­cion.

2. Check the sender’s email ad­dress.

The first phish­ing give­away is of­ten the sender’s email ad­dress. Even if the email it­self looks le­git­i­mate, that ad­dress of­ten stands out as be­ing ques­tion­able. For ex­am­ple, if you re­ceive an email from Ap­ple and the sender’s ad­dress is Ap­pleSup­port765@hot­mail.com, this is clearly not re­ally from Ap­ple.

3. Watch for links and at­tach­ments.

The ob­jec­tive of a phish­ing at­tack is usu­ally to get you to down­load an at­tach­ment or to click on a link. Use ex­treme cau­tion with at­tach­ments— they can be dis­guised mal­ware that will in­fect your com­puter. Don’t click links within an email that you are at all sus­pi­cious of. What looks like a le­git­i­mate hyperlink can be a dis­guised link to a crim­i­nal web­site. When in doubt, hover your mouse over the text of the hyperlink (you should see the full URL, which will help to show whether it leads to a le­git­i­mate web­site) or bet­ter yet, open a browser win­dow and man­u­ally type in the hyperlink your­self to pre­vent it be­ing re-di­rected.

If you re­ceive an email from some­one you know, with ap­par­ent non­sen­si­cal or out-of-char­ac­ter text, don’t click on any­thing. In all like­li­hood, their email ac­count has been hacked and all of their con­tacts are now tar­gets of a spear phish­ing at­tack.

4. Ty­pos are a red flag.

For some rea­son, cy­ber crim­i­nals seem re­luc­tant to in­vest in copy edit­ing. One of the eas­i­est ways to spot an email sent as part of a phish­ing at­tack is ty­pos. Most that I re­ceive are full of spell­ing er­rors, poor gram­mar and syn­tax, and ugly text lay­out.

5. When in doubt, con­tact the sup­posed sender.

Some­times the bad guys pull things to­gether and man­age to gen­er­ate a spear phish­ing cam­paign that’s re­ally dif­fi­cult to de­tect. The email ap­pears to come from a le­git­i­mate source, it ref­er­ences some­thing that could be le­git­i­mate (like a re­cent pur­chase you made) and it’s pol­ished and of­fi­cial look­ing. If you’re not ex­pect­ing this email, pick up the phone and call the orig­i­nat­ing com­pany’s cus­tomer ser­vice, or send an email di­rectly to their cus­tomer ser­vice to ver­ify they sent it.

6. In­stall se­cu­rity soft­ware and be smart about pass­words.

As an added layer of de­fense, se­cu­rity soft­ware is never a bad idea. Some In­ter­net se­cu­rity pack­ages have a fea­ture that au­to­mat­i­cally de­tects and blocks fake web­sites, adding a fail­safe in case you ac­ci­den­tally click on a link you shouldn’t. And it goes with­out say­ing that you should be us­ing a unique pass­word for each web­site where you are re­quired to log in. If you’re a phish­ing vic­tim, this can help to con­tain the dam­age. If you fol­low th­ese steps, you will min­i­mize your risk of be­com­ing a spear phish­ing vic­tim. For fur­ther in­for­ma­tion on pro­tect­ing your­self against phish­ing and spear phish­ing at­tacks, check out the NCSC’s web­site.

TATSUHIKO SAWADA/GETTY IM­AGES

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.