Beware of Phishing & Email Scams


What is phishing?

Individuals and organizations spend a small fortune purchasing technology and security services, but their computers and confidential information could still remain vulnerable to old-fashioned human manipulation. Social engineers manipulate people into speaking/acting contrary to their normal manner. The goal of a social engineer is to fool someone into providing valuable information or access to that information.

Social Engineering attacks have been steadily increasing for years. One example of this is phishing, which is a form of social engineering perpetuated over digital communications like email. Phishing scams generate billions of dollars even when only a small percentage of the targets are deceived. The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically making phishing one of the most organized online crimes.

Phishing is a way of attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure unsuspecting victims. Phishing is typically carried out by email spoofing or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Phishers are often very organized and connected. They may go after one piece of information, such as an ATM card PIN, to correlate it later with existing information, such as the card number and CVV. Once they obtain what they’re looking for, they can quickly convert it into cash.

The most common technique is to send an email to thousands of online users asking them to re-enter or update their personal information under the pretext that their "account is about to expire" or "multiple log-ins have been detected" or they've "just won the lottery."

How do spammers get my email address?

Spammers gather email addresses from a variety of sources such as web pages, newsgroups, guesswork and a whole variety of other means. They may stalk social networking sites, hack into company databases or compromise the personal email accounts of those who don’t adhere to security best practices. These lists are then traded across the Internet.

In many cases, the phisher entices the user into opening an email attachment, downloading a file or visiting a fake website. They go to great lengths to trick the user into believing the email is from a credible source, often including copies of graphics of legitimate organizations as well as personal information that they’ve gleaned from other sources in order to catch the recipient off guard.

Phishing scams attempt to disarm recipients by including a warning like: “don't divulge your personal information to anyone but your trusted bank” in an email sent to a bank's clients.

How can phishing hurt me?
Once infected, these cybercriminals can steal your credentials by monitoring and intercepting your keystrokes or grabbing screen shots to steal your personal details and login credentials. Even worse, they can turn your computer into a robot to perpetuate their crimes without you even knowing it.

How can I protect myself from phishing & email scams?

To help you spot an email phishing attack, ask yourself these questions:

Who is the email from? Look at the "From:" field. Is the sender's name or email address familiar to you? Does it use a webmail account like Hotmail when it claims to be from my bank?

Is there a URL in the email? Where's the hyperlink going to? To see where the hyperlink is actually going, hover over it with your mouse (don’t click it). The true URL will be displayed on the bottom in the status bar. When in doubt, don’t click on it! As a best practice, never click on links in emails, texts, or social network sites. Instead, type the site address into the browser yourself (www.example.com) to ensure that the browser goes to the expected site.

Is there a threat of immediate detrimental action if you don’t respond with personal information? A message demanding an immediate response deserves a good dose of skepticism.

Does the email refer to a current news event? Major news events such as large-scale catastrophes or the death of celebrities are quickly followed by a wave of phishing messages touting the same news events in their subject lines or email body. Phishers are hoping that overeager users will let their guard down and click on their proffered URL links in their haste for more information.

Does the tone of the email from friends or colleagues sound right? Filter the messages based on what you know of the purported sender(s) and how they typically write.

What if I don’t have anything of value?

People often assume they have nothing worth stealing. They think, "Why would somebody want something from me? I don't have any money or anything anyone would want." On the contrary, if a social engineer can assume your identity, he or she can convince your friends to do something. Or you can pay their bills. Or they can commit crimes in your name. No matter who you are, or who you represent, you have value to a criminal.

The single most important key to avoiding phishing and email scams is to not give sensitive information to anyone unless you can verify that they are who they claim to be and that they have a legitimate need for access to the information.

These helpful tips are provided by www.infosightinc.com, an information security consultancy working to help ensure the privacy and security of your corporate, personal and financial information.