How to Avoid Getting Hooked
Most of us are unlikely to reveal personal information to a down-on-their-luck rich foreigner who needs an (insert your nationality here) citizen to access funds in your country – for a large fee payable to you of course. However it’s harder to say no when emails look authentic. Welcome to the world of Phishing.
Sometimes someone is actually “aiming” for you or your organization. This is called Spear Phishing. There may be some sensitive trade secret or account info or data. Maybe a disgruntled employee wants to “dox” or publish internal documents.
The really insidious part is that emails can be spoofed or faked meaning they may show up as “from” someone who never sent the email. If someone in your organization (CEO or manager – even an employee) had a disaster and they just needed a twenty dollar purchase but had lost the company card and needed the info immediately, how bad would it need to be before you felt tempted to help?
Protect Yourself: Avoiding the Phishing Phone Line
If something sounds suspicious, don’t engage. Close the e-mail or find a reason to hang up and call them back. Ask someone else what they think. If you need to action it, contact them or someone else in that organization at a number you already have for them to confirm the situation before acting.
Lures to Watch For
Sometimes a large, trustworthy company like eBay or Amazon needs you to take action on your account. Other times, an attacker showing stolen images that may be genuine, is trying to steal your information. Here’s what it might look like and how you can protect yourself
- “Your ___ account is in error. Log in now to fix it!”
- “You owe the CRA money. Pay here to avoid expensive penalties or arrest.”
- “Here’s your receipt for this large purchase you just made. Click here to verify you made this purchase.”
- “Someone is trying to log into your account. Log in here to change your password.”
These messages are designed to threaten or provoke you into making an emotional decision and surrendering your login information to their fraudulent webpages/forms which will ironically allow them access to do what they say is happening.
Protect Yourself: Avoiding the Phishing Email Hook
Don’t use the email links. Don’t call the phone line given to you. Instead go to the website you usually use via bookmarks or google search and log in the way you normally do. Spoilers: your account is probably fine.
Identifying Phishing
Most websites are broken into a subDomain.domain.topLevelDomain such as mail.google.com. The part immediately before the .com/.org/.net and until the dot before it (thing.this-part-no-matter-how-long-it-is.ca) identifies the domain.
If ebay.somewebsite.com is linked in an e-mail, you are going to somewebsite.com that has a subdomain called ebay unrelated to ebay.com. Spoiler: it’s where they want you to think is ebay so they can take your information.
Protect the Community: Sinking the Scam
Maybe the email uses a real-sounding subdomain like microsoft.securitycentral.com instead of security.microsoft.com. If you’re unsure, you can google “[company-name] phishing reporting” to find the website where you can report scams. Most big companies have one; in this example it’s https://www.microsoft.com/en-us/reportascam/.
Keep Your Organization Safe
The best way to equip your organization against fraud is to help them get educated with free resources like this one.
When they get an email from a company like maiIchimp.com but the l character is a capital i instead of a lowercase L (identical in most sans serif fonts), you probably want them to Avoid the Email Hook. You know, instead of having an attacker sell your client info to others – or worse: pretend to be you to get their info.
If you have any questions about phishing, please contact us. It’s our goal to make I.T. maintenance as safe and easy as possible.