Wednesday, March 31, 2021

Cybersecurity: Is there something phishy going on in your inbox?

 

SOURCE: Jeffrey L. Price, 2020
Have you ever noticed how many fishing lures are shiny and brightly colored?

It’s because fish can’t resist them, and it seems we humans also have this same flaw. Send someone a flashy message promising them some reward or a vaguely worded threat and we just can’t resist clicking on the link or attachment in that message to see what it is. 

Cybercriminals know this and depend on your trust and curiosity to make their scams work. And just like that poor trout who goes to investigate that shiny thing floating around in the water, it doesn’t end well. 

So how do you avoid becoming some cyber-fisherman’s catch of the day? 

The answer is deceptively easy. When it comes to e-mails -- and even text messages – trust nobody. Assume every message you get is fake until you can confirm it’s not. 

And how do you go about confirming a message isn’t fake? 

By following some simple precautions I outline below. While this list isn’t exhaustive and doesn’t guarantee you will never be fooled, you will be surprised how often it can save you from being hooked.

Skepticism is your best defense

First and foremost, be skeptical of any message you get. Are you expecting a message from this person and what are they asking you to do? If they are asking you to download an attachment or requesting you to sign into some site – even one that seems legitimate – ask yourself if this person really needs to know that information.

If a stranger came up to you on the street and introduced themselves as a friend of a friend then asked you for your social security number, would you give it to them? Probably not. So you shouldn't do it with an e-mail from some stranger either.

If the message appears to be from a bank or other institution you do business with and they are requesting you verify information they should already have, then don’t give it to them.  Again, you wouldn’t give the keys to your safe deposit box to some Joe on the street who introduces himself as the VP at your bank, would you?

Remember hackers are extremely good at what they do. They are experts at creating seemingly valid email addresses, language, and mimicking brand logos. So be skeptical when it comes to your email inbox – if an email looks even remotely suspicious, do not open it. Instead, delete it. It is always better to be safe than sorry.

Look closely at the display name and email address

Faking or forging the display name on an email (or even a text message) is a classic phishing ploy. Many times hackers will intentionally misspell a name betting you won’t notice the difference between something like CityBank and Citibank to get you to think their message is real.

Another trick they use is to slightly change the name of a person or colleague they might think you regularly communicate with. So instead of getting a message from a Michael Smith, hackers might try to disguise themselves as Micheal Smith, Mike Smith or even Mika Smith, again betting your familiarity with their name will make you overlook the misspellings. Also be on the lookout for names in the wrong order. At my company display names from internal employees are always listed as LastName, FirstName. So when I see a message from our CFO with a display name of FirstName Lastname, I know it is fake. 

Next take a look at the email address following that display name. Does it match and appear to come from the right organization? A message from Citibank for example, should come from someone@citbank.com and not Citibank@abc.com.

The tip here is to always look at the part of the email address that follows the @ sign.  Remember that no legitimate organization will send an email using a public domain like email address like ones ending with @gmail.com, @comcast.net, @yahoo.com, @aol.com, etc. Every organization will have its own email domain (the part of the address that follows the @ sign) and only send from official company accounts. The best way to find out what an organization’s real domain name is is to type that company’s name into a search engine.
Also be on the lookout for domain names that mimic real ones. Hackers are betting that you will overlook misspellings like @citbank.com (missing the second “i”), @citybank.com (using a “y” instead of an “i) or even wrong endings like citibank.net instead of citibank.com.

Finally, watch out for is mismatched display names and e-mail addresses. If the display name says  Michael Smith, then the e-mail address should not give another name like marcia.brown@gmail.com. If the first part of the address is a random string of numbers or letters – such as 1234VZE@verizon.net – then it’s a good bet the message is from someone trying to hide their true identity from you and you should automatically treat that message as fake. 

Review the salutation 

Who is the email addressed to? Is it to a vague “Valued Customer?” Legitimate businesses will often use a personal salutation with your first and last name, so beware if it doesn’t. Likewise if you get a message that has your name misspelled or appears to be from someone you know and they use your formal name rather than the nickname they’ve always used with you, then again, you can bet the message is a fake. 

Be warry of urgent or threatening language 

Cyberscammers often try to put you off guard by using fear or the threat of legal or financial action against you or play on your emotions by creating a false sense of urgency in their messages. Commonly, they will have subject lines such as “urgent payment request” or make claims that your “account has been suspended.” Others will say you have won an expensive prize in a contest you don’t remember entering telling you you must claim the prize now or it will go to someone else. 

These messages will often direct you to click on some link or download an attachment that could infect your device with malware or trick you into revealing usernames and passwords to important accounts.

Guard your confidential information as if your life depended on it

Legitimate businesses will never ask for personal credentials through an email.

Ever.

These types of phishing scams often proport to be from a bank or other financial institution, the IRS or even online shopping sites like Amazon. 

Again, ask yourself if you would give up that information to some guy on the street who just came up to you saying they were from your bank or the IRS and didn’t show you any hard proof of who they were. 

So ignore any requests you get to “reset,” “sign in,” or input username or password through email – it’s almost always a scam.  

The one exception to this rule is if you get a password reset message immediately after clicking the “I forgot my password” link on a site you usually do business with.

Also remember that legitimate businesses will never ask you for your account numbers, social security numbers, dates of birth or other information that could be used to personally identify you via an email. They should already have this information on file. If they ask you for it in an e-mail or text message, it’s either a phish or it’s a company you should stop doing business with immediately!

Think before you click

Note the link in the body says one thing, but when you hover 
over it, the real link shows a different address!                    
Hackers love to embed malicious links in what look to be legitimate messages. To expose this fraud,
hover your mouse over the link. If the link address looks weird, DON’T click on it. If you’re skeptical about the link, call an IT pro to have them check it out. If you don’t have a favorite IT person you can bug, then look up the business’ contact information via a google search or go old-school and use a phone book, and call the company and ask them about the message.

Don’t click attachments either

Just like malicious links, hackers like to embed malicious attachments that contain viruses and malware in their phishing emails. Malware can steal your passwords, damage files on your computer, or spy on you without you ever knowing. Curiosity killed the cat, so don’t open any email attachments you weren’t expecting.

Texts messages aren’t any safer

Almost all of these rules can apply to text messages too. So don’t think that just because you don’t use e-mail that much, you’re safe. 

You’re not.

Cyber criminals know more and more people are ditching e-mail for texting and are quickly adapting their tactics to target all you thumb-typers out there, so you need to heed these guidelines too.
  
Now, after reading all this, if you’re beginning to feel paranoid, and think every e-mail or text message you get could be bomb ready to go off in your face,  good. I did my job! You should feel paranoid these days! Because that old saying is true. Just because you’re paranoid, it doesn’t mean the world isn’t out to get you.