Don’t Click On Strange Links: 6 Tips To Avoid Phishing Attacks
It seems as though we can’t go a day without news of another big data breach. Already this year, we’ve had a reported data leak for 320,000 Time Warner Cable customers, an eBay security flaw that has reportedly exposed millions of users of that website to the risk of spear phishing campaigns, and the Director of the National Intelligence has had his email account hacked by the same group that hacked CIA Director John Brennan’s email account in 2015.
Many of the recent high-profile security breaches started with or provided the means to launch sophisticated phishing attacks. Here’s what you need to know about phishing and how to protect yourself:
What Is Phishing (And Spear Phishing)?
The basic method is for cyber criminals to send out a mass email containing an attachment or a hyperlink. The attachment is malware and any hyperlink will be to a website masquerading as something legitimate. The goal is to trick the email recipient into downloading the attachment (exposing their computer to the malware), or into clicking the link to a website that may be infected with malware. It may also ask for confidential data such as credit card numbers to be entered.
The scarier version of phishing is known as “spear phishing.” This is where things get personal and the criminal attacks an individual using information they’ve collected about them. Spear phishers can find personal data on social media sites or score valuable sensitive data from a big online hack. That eBay security issue made it even tougher to detect spear phishing attacks because it let the criminals actually display their malicious webpage within eBay’s website, making their version appear to be completely legitimate.
How bad could it be? If an unsuspecting user were to click the email link, land on what appears to be eBay. com (but is actually a malicious site) and log in as requested, the hackers now have their user name and password. From there, they have full access to the user’s account, including credit card info. Using that information, they can also try logging in to other websites (many people reuse the same password), email accounts and corporate accounts.
According to a 2015 National Counterintelligence and Security Center (NCSC) presentation, 47% of adult Americans had been the victim of a security breach in the past three years and 91% of those victims fell prey to spear phishing.
Those are scary statistics, but here’s how you can protect yourself:
1. Asking for personal information is a red flag.
Few (if any) websites, banks or businesses will ask you for confidential personal or financial information by email. If you receive an email requesting you to supply this information, you should treat the request with suspicion.
2. Check the sender’s email address.
The first phishing giveaway is often the sender’s email address. Even if the email itself looks legitimate, that address often stands out as being questionable. For example, if you receive an email from Apple and the sender’s address is AppleSupport765@hotmail.com, this is clearly not really from Apple.
3. Watch for links and attachments.
The objective of a phishing attack is usually to get you to download an attachment or to click on a link. Use extreme caution with attachments— they can be disguised malware that will infect your computer. Don’t click links within an email that you are at all suspicious of. What looks like a legitimate hyperlink can be a disguised link to a criminal website. When in doubt, hover your mouse over the text of the hyperlink (you should see the full URL, which will help to show whether it leads to a legitimate website) or better yet, open a browser window and manually type in the hyperlink yourself to prevent it being re-directed.
If you receive an email from someone you know, with apparent nonsensical or out-of-character text, don’t click on anything. In all likelihood, their email account has been hacked and all of their contacts are now targets of a spear phishing attack.
4. Typos are a red flag.
For some reason, cyber criminals seem reluctant to invest in copy editing. One of the easiest ways to spot an email sent as part of a phishing attack is typos. Most that I receive are full of spelling errors, poor grammar and syntax, and ugly text layout.
5. When in doubt, contact the supposed sender.
Sometimes the bad guys pull things together and manage to generate a spear phishing campaign that’s really difficult to detect. The email appears to come from a legitimate source, it references something that could be legitimate (like a recent purchase you made) and it’s polished and official looking. If you’re not expecting this email, pick up the phone and call the originating company’s customer service, or send an email directly to their customer service to verify they sent it.
6. Install security software and be smart about passwords.
As an added layer of defense, security software is never a bad idea. Some Internet security packages have a feature that automatically detects and blocks fake websites, adding a failsafe in case you accidentally click on a link you shouldn’t. And it goes without saying that you should be using a unique password for each website where you are required to log in. If you’re a phishing victim, this can help to contain the damage. If you follow these steps, you will minimize your risk of becoming a spear phishing victim. For further information on protecting yourself against phishing and spear phishing attacks, check out the NCSC’s website.