Last month FreshPerspectives explored the anatomy of a “Phishing Attack” and gave some tips on how to recognize attempts to commandeer personal information online. This month we outline how to proactively prevent damage from phishing expeditions and how to respond if you suspect an attack may have succeeded.
To review, ‘phishing’ is the practice of sending fraudulent emails, posing as a legitimate sender, in order to “bait” individuals to reveal personal information such as credit card or Social Security numbers, passwords, and birthdays.
A Little Phishing History
The first phishing incidents were reported in 1996 by AOL, when pirated data was used to gain access to subscribers’ personal financial accounts. A seemingly benign request to confirm one’s password opened individuals’ personal accounts to identity theft and fraud.
Phishing wreaks havoc on email and financial systems. It’s often difficult to determine the extent of the damage up front, as attacks can take weeks or months to run their course. Phishing doesn’t just affect consumers; recently, targeted ‘spear-phishing’ attacks have compromised leading email service providers (ESPs) and businesses alike.
How Can I Protect Myself?
Here are a few valuable tips to avoid becoming the next victim of a phishing expedition:
- Never give out your password or any personal information in an email….ever!
- If any email seems the least bit suspicious or questionable, check with your IT department at work or do your research (examine the “from” address, the header, any embedded links, etc.).
- Be wary of email attachments, and only open those you’re expecting.
- Learn common phishing styles. Whether it’s a long-lost friend sending you a link to wedding pictures, or an acquaintance supposedly trapped abroad and in need of funds, don’t fall for it.
- Exercise caution when updating or patching software. Ensure all update requests originate from inside the software. They should never come from a link inside an email.
- Whenever entering personal information on the web, make sure the URL begins with “https” instead of the usual “http.” The “s” stands for secure.
- Keep your security system up-to-date to reduce vulnerabilities. Set your anti-virus protection to update automatically. The knowledgebase on malware is constantly growing, so the sooner your system can recognize fresh attacks, the better.
What If I Took the Bait?
If you clicked on a link and immediately regretted it, don’t panic. The damage might not be done yet. But don’t put your head in the sand. Act immediately, before your computer starts slowing down or acting strange. If it’s a work computer, contact your IT department ASAP. If you’re at home, call your favorite techie to see if they can resolve the problem before more damage is done.
What If I Clicked on a Link But Didn’t Provide Any Information?
You might still be on the hook. Some of the latest spear-phishing attacks have disabled antivirus software and installed malware including key-logging software and remote administration tools – all from one click. This gives the phisher access to your computer and the ability to record your passwords as you type them for legitimate web sites. If not promptly fixed, this could have devastating consequences.
Going Beyond the Basics
Once you’ve covered the basic defensive tactics (e.g., avoiding suspicious links, being judicious with your password, etc.), there are some additional tools you might consider. Various companies offer reputation verification tools to verify the trustworthiness of unfamiliar web sites. Finnland-based Web of Trust (http://www.mywot.com) offers a downloadable crowd-sourced “safe surfing” add-on to provide added protection while browsing. Malwarebytes Anti-Malware provides an additional layer of malware protection, above and beyond traditional anti-virus software. Their paid version even stops threats in real-time (http://www.malwarebytes.org/).
With these services and further improvements in technology, there is hope that one day phishing scams will be a thing of the past. But in the meantime, it’s critical that we educate ourselves and take proactive steps to protect our personal information.