Something smells “phishy”

Here at Life Abridged we’ve covered how to handle internet trolls, the lurking losers who stir trouble online with their verbal wrath. But what also permeates our email and social media interactions is another unwelcome party: phishers. And no, they have nothing to do with fake ham, or the band Phish.

Spam Truck

No, not this kind of Spam

If you’re lucky, your email client filters most of the obvious gems: “Mr. Rudy Shoeshine from Seoul will give you a cash reward for sending xxxx to xxxx” (egregious typographical errors and revolting grammar mistakes removed for your reading sanity). And if you’ve grown up in the internet age, you know not to reveal financial or confidential company information to unknown recipients. Nothing new there.

But frighteningly, the messages reaching our inboxes are appearing more and more legitimate. Attackers are using the same branding, fonts, and formats as real companies. I recently received a “LinkedIn” notification with the company’s recognizable blue logo and identical font—plus flawless grammar—telling me “Scott Green” is still awaiting confirmation of his request.  I compared it to a real LinkedIn notification. Almost a mirror image. I’ve received direct messages (DM’s) via Twitter from actual friends, telling me to look at pictures. Luckily, I hadn’t seen the person in 10 years but if it had been a close friend, I may have fallen for it.

Beyond the obvious precautions,  here is a tutorial on the art of phishing and its progression, and what you can do about it.

Social Engineering

An attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. He/she may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.

Phishing

Phishing, a form of social engineering, uses email or malicious websites to pose as a trustworthy organization. Phishing attacks often occur during emergency situations, taking advantage of vulnerable or uncertain times to extract personal information.  Such events include:

  • natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
  • epidemics and health scares (e.g., H1N1)
  • economic concerns (e.g., IRS scams)
  • major political elections
  • holidays

What Can You Do?

  • It’s a no-brainer to be cautious of all communications. But if you’re unsure of a message’s legitimacy, run your mouse over the link. Does the extension match the company name? Or does the display text say something like “Visit Facebook” but the link is actually downanddirtyxxx.com?
  • Then, delete it and change your password. You can also forward it to the Federal Trade Commission at spam@uce.gov.
  • Do not enter personal information in a pop-up screen. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens.
  • Multiple companies reported that 43% of their employees are susceptible to attacks.  At work you may feel secure relying on your IT Department’s security software, but your coworkers may be the ultimate problem.
  • Install a phishing filter on your email application and also on your web browser.

Resources

U.S. Computer Emergency Readiness Team

Information Sharing & Analysis Center

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s