‘Phishing’ is the practice of sending fraudulent emails, designed to mimic the emails of legitimate companies, in order to “bait” individuals to reveal personal information such as credit card or Social Security numbers, passwords, and birthdays.
With high-profile data breaches in the news every day in the past months, most companies and individuals have found themselves doing a lot of introspection. “Could it happen to me?” is the first question they ask themselves, followed immediately by “How can I prevent it?”
By now most people realize that hackers around the world, through a practice called phishing, are able to fraudulently access data that should be secure. In the next two issues of FreshPerspectives, we provide an in-depth look at the practice as well as offer some of the most effective measures businesses and individuals can take to minimize the potential damages.
Anatomy of a Phishing Attack
Phishers send an email that LOOKS like it comes from a trusted source, like a trusted business or even a friend or family member. The email might invite you to reply to the email or contain a link that directs you to a web site, which is designed to look like your trusted source’s web site.
Whether via an email reply or on the directed web site, you will be asked to enter private data (e.g. your user name, account number, and password).
Armed with your personal information, the phisher will do one or a combination of the following:
- Sell your information
- Steal your identity
- Steal funds from your bank accounts
- Attack your contacts (to repeat the process)
How to Catch a Phish:
It’s important to be on the lookout for these emails in order to thwart attempts before they succeed in carrying off your information. In order to do this, here are a few things that will help you recognize the fraudulent emails.
Do you recognize the sender?
- If you don’t, stop right there.
- If anything looks the least bit suspicious, hover over the “From” name to see the sender’s actual email address.
To dig even deeper, learn how to read email headers. This will vary depending on your email client or webmail provider, so here’s a quick link for popular clients. Message headers can tell you several technical details, including if the email was authenticated by the sending domain.
Here are some more telltale signs:
Are there typos? Does the email create a sense of urgency?
Phishing attempts typically include upsetting or exciting (but false) statements to get people to react immediately without thinking twice. It’s human nature to respond right away when you see an email saying, “Your PayPal account has been compromised. Click here to reset your password.” Relax and look at the email again. Does everything look legitimate? Even if you think it does, always log in to your account by visiting the website in your browser instead of the link provided in the email.
This is a very simple trick, but most people fall for it because they don’t know any better. Anyone can easily change the text of a hyperlink. When you see a “click here” link, you might not think you have any way of knowing where that will take you without clicking though, but often you do. If you simply hover over the hyperlink, you will be able to see the full URL on the bottom of your window. Even if the hyperlink is a URL itself, hover over it just to double check the sender isn’t tricking you. Also, check for misspelled names in the URL. If you are on the fence, simply use a search engine to search the URL. If it’s a fake/scam site, you should be able to tell rather easily by the search results.
Please note this will not always work. For example, if the sender is using link tracking, deploying through an ESP, or using a link shortener (i.e. bit.ly), you might not be able to see where the link will actually take you.
The good news: Anti-virus software is improving, email clients are getting better at detecting unsolicited email, and most new Internet browsers come with anti-phishing software built in.
The bad news: Phishers are also getting smarter and more sophisticated. And where there’s money to be had, creativity will abound.
So your best defense is to stay knowledgeable and approach every email with a “better safe than sorry” attitude, even if it’s an email from a supposed old friend sending you pictures of that wedding you missed. By the way, that’s what triggered Epsilon’s massive data breach earlier this year.
NEXT MONTH: More ideas and proactive ways to prevent damage from phishing attacks, and, equally as important, how to respond if you’re afraid that an attack might have succeeded.