The terror started, as far as I know, with a simple email from a Nigerian prince. Emails have been misspelled, misspelled, and largely mimicked as they have become the evil clown we know today as phishing. This Halloween I’d like to share the latest phishing disguises so you can tell tricks from joys and stay safe.
Like it (the clown at computer), phishing has many names, has become more adept at exploiting individual hopes and fears, and is growing rapidly as criminals learn which techniques are most effective. Since the days of the Nigerian princes and AOL accounts, spelling and grammar have improved, logos and graphics have been added to mimic real messages, and more realistic scenarios are used. Perhaps the worst part of the latest phishing tricks is creating targeted messages using information from social networks and other public sources. In the past few months, we’ve seen several cases of phishing, including two techniques known as phishing and smishing (or SMS phishing). They have increased dramatically and pose a significant threat to consumers.
How to prevent phishing
The best way to identify phishing emails is to study examples taken in the wild! This Cyren webinar begins with a look at a real phishing website, disguised as a PayPal login, forcing victims to give their credentials. For the first minute of the video, check the telltale signs of a phishing website.
For more examples, visit a Lehigh University Department of Technology services website that contains a gallery of recent phishing emails from students and staff.
There are also a number of steps you can take and ways to prevent yourself from becoming a phishing statistic, including:
- Always check the spelling of URLs in email links before clicking or entering sensitive information
- Beware of URL redirects that subtly send you to another website with an identical design
- If you receive an email from a source that you know but seems suspicious, instead of just clicking on a reply, contact that source with a new email
- Do not post personal information such as birthdays, holiday plans or address or phone number publicly on social media
Angler phishing
Social media is a great way for people to contact companies with questions related to a product or service. Phishing fishing is a trick that criminals use to get your sensitive information and impersonate a company’s legitimate customer support account. With subtly changed domain names like “Apple” or “App1e” (which are indistinguishable in some fonts), “mobile-paypal.com” or “ask-company.com”, these criminals monitor Facebook, Twitter and other social media websites for People who complain or ask for help. Then they come in and offer help, ask for identifying information, or provide a link to their fake site.
The best way to protect yourself against phishing by Fischer is to always go to the company’s website first and follow the links there to the appropriate customer contacts.
Smishing
Smishing or phishing via SMS brings fake ads, competitions and well-known bonus offers to your smartphone. The smaller screen, contextual messages, and the distraction of using your smartphone increase the chances of clicking one of these. By forging the caller ID, the fraudulent message can even be added to an existing threat or come from an official number.
The best way to protect yourself from these scams is to carefully delete anything that you haven’t initiated or that isn’t from a known contact. Remember, for the most part, you won’t be the lucky visitor today. This is not a real refund offer. Your bank or credit card account has not been blocked and your Apple ID will not expire. Nobody needs your user ID, password, social security number or other account information via text or Twitter. The offer that expires in 90 seconds is very likely not real and anything too good to be true usually is.
Unlike Stephen King, our evil clown is not a strong, hungry alien from another dimension. All it takes to beat him is a little diligence, a healthy level of skepticism, and more resistance to the bait!