Posts

Phishing is Getting Fishier

If you are like most people, you have undoubtedly received an email that has asked you to click on a link. Did you click it?

If you did, no worries, you are just like 99% of internet users – everyone has clicked a link before, it is pretty normal. But, in some situations, you may have found that the link took you to a new or maybe spoofed website where you might be asked to do “something”, i.e. enter some information or even login to an account. Once you entered your username and password, they have it…

If you have ever done so, you were likely a victim of what is known as a phishing attack, and these attacks are getting fishier all of the time.

A What? Phish? Fish?

It’s called a phishing attack, and yes, it’s a play on words. When you fish, you throw a hook and worm into the water and hope you catch something. Hackers do the same when they phish.

Except, their hook and worm, in this case, is an carefully crafted email – designed to look like something you should get – which hackers hope you are going open…its then, that they can reel you in.

There are a few different types of phishing:

  • Spoofed websites – Hackers phish by using social engineering. Basically, they will send a scam email that leads to a website that looks very familiar. However, it’s actually a spoof, or imitation, that is designed to collect credit card data, usernames and passwords.
  • Phishing “in the middle” – With this type of phishing, a cybercriminal will create a place on the internet that will essentially collect, or capture, the information you are sending to a legitimate website.
  • Phishing by Pharming – With phishing by pharming, the bad guys set up a spoof website, and redirect traffic from other legitimate sites to the spoof site.
  • Phishing leading to a virus – This is probably the worst phish as it can give a criminal full control over your device. The socially engineered phish is designed to get you to click a link to infect your device.

Can You Protect Yourself from Phishing?

Yes, the standard rule is “don’t click links in the body of emails”. That being said, there are emails you can click the link and others you shouldn’t. For example, if I’ve just just signed up for a new website and a confirmation email is then sent to me, I’ll click that link. Or if I’m in ongoing dialog with a trusted colleague who needs me to click a link, I will. Otherwise, I don’t click links in email promotions, ads or even e-statements. I’ll go directly to the website via my password manager or a Google search.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

How to win the War on Phishing

A phishing attack is a trick e-mail sent randomly to perhaps a million recipients, and the thief counts on the numbers game aspect: Out of any given huge number of people, a significant percentage will fall for the trick.

13DThe trick is that the e-mail contains certain information or is worded in such a way as to get the recipient to click on the link in the message. Clicking on the link brings the user to a website that then downloads malware.

Or, the website is made to look like it’s from the user’s bank or some other major account, asking for their account number and other pertinent information like passwords and usernames; they type it in (and it goes straight to the thief). Sometimes this information is requested straight in the e-mail’s message, and the user sends the information in a direct reply.

The Google Online Security Blog did some analysis of phishing e-mails and came up with the following:

Malicious websites really do work: 45 percent of the time. As for getting users to actually type in their personal information, this happened 14 percent of the time. Even very fake looking sites went over the heads of three percent. Three percent sounds like peanuts, but what’s three percent of one million?

Hasty hackers. Once the hacker gets the login information, he’s into the victim’s account within 30 minutes 20 percent of the time. They may spend a lot of time roaming around in the account, which often includes changing the password to keep the victim out.

Those strange e-mails. Ever get an e-mail in which the sender is a very familiar person, but the message was also cc’d to a hundred other people? And the body message only says, “Hi there!” and then there’s a link? This is likely an e-mail from the victim’s e-mail account (which the hacker knows how to get into), and the thief copied everyone in the victim’s address book. Recipients of these phishing attacks are 36 percent more likely to fall for the ruse than if the attack comes as a single message from an unfamiliar sender.

Fast adaption. Phishing specialists are good at quickly changing their strategies to keep up with changes in security.

The Google Online Security Blog recommends:

  • Not all “spam blockers” block 100 percent of all the phishing e-mails. Some will always slip through to your in-box. Never send personal information back to the sender of e-mails requesting personal information. Never visit the site through the link in the e-mail.
  • Use two-step verification whenever an account setup offers it. This will make it difficult for the hacker to get into your account.
  • Make sure your accounts have a backup e-mail address and phone number.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Phishing Alert: 8 Tips to protect yourself from Attacks

It’s as easy for hackers to phish out your personal data as it is to sit in a canoe on a still pond, cast the bait and wait for the fish to bite.

13DSo many people fail to learn about phishing scams, a favorite and extremely prevalent scam among cybercriminals.

A type of phishing scam is to lure the user onto a malicious website. ZeuS (Zbot) is such an example, planted on websites; visit that site and it will download a virus to your device that will steal your online banking information, then forward it to a remote server, where the thief will obtain it. Very clever.

But that ingenuity is contingent on someone being gullible enough to open a phishing e-mail, and then taking that gullibility one step further by clicking on the link to the malicious site.

10 Phishing Alerts

  • An unfamiliar e-mail or sender. If it’s earth-shaking news, you’ll probably be notified in person or via a voice phone call.
  • An e-mail that requests personal information, particularly financial. If the message contains the name and logo of the business’s bank, phone the bank and inquire about the e-mail.
  • An e-mail requesting credit card information, a password, username, etc.
  • A subject line that’s of an urgent nature, particularly if it concludes with an exclamation point.

Additional Tips

  • Keep the computer browser up-to-date.
  • If a form inside an e-mail requests personal information, enter “delete” to chuck the e-mail.
  • The most up-to-date versions of Chrome, IE and Firefox offer optional anti-phishing protection.
  • Check out special toolbars that can be installed in a web browser to help guard the user from malicious sites; this toolbar provides fast alerts when it detects a fraudulent site.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.