Phishing: How to Avoid Getting Hooked

What would you do if you got an email that went something like this:

"From American Express Cards: Warning your account has been compromised, click this link right away to verify your card and reactivate it. You won't be able to use your card until you do! Please act now!"

Would you panic? Would you click? I hope, for your sake and your credit score, that you answered "No." to both questions. That is a pretty standard "phishing" message (even though I made it up) and is just one of the many forms of social engineering that we all can fall prey to online. To help you out, and all of us really, here's a little primer on how to avoid getting scammed, bilked, or  having your computer become infected with nasties let's call it: Social Engineering 101.

Wikipedia defines social engineering as:

The act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

Which is an okay definition, but it misses the key part of why social engineering works: we trust people. Social engineering isn't new or really computer centric, a person dressed as a firefighter, police officer, paramedic, can wander around a building or crime scene or fire without question. Why? Because we've been taught/trained that these are people in authority and we need to allow them to do their job without our hinderance. How about someone struggling with packages in front of a security access door. You come up to the door and since you have access to that section, you hold the door for the person. Maybe the person says something like "Man, my door fob is stuck in my pocket…" Social engineering at work. Now, let's look at the computer kind. Before the internet was widespread in offices, one of the best scams was to call up random people at an office with the story "Hi, this is Bill from tech support, we're doing some maintenance on the network. I need to confirm your username and password for the check…" How often does that work? A lot. Like the majority of the time.

Lesson 1: Tech support rarely if ever (like almost never) needs your password for anything. Username? Yeah, that's important, but password? Nope. Look, I've been on front line tech support, if I need to "get into your account to check something" I have the tools and privileges to do it. Worst case, I change your password myself, login, then ask you to change your password again. So even if you call tech support and they ask for your password, push back. They shouldn't need it, and if they do, they're being lazy. This rule goes for phone calls and most especially emails you receive. Just don't give out your password to whoever asks. Not even me. Period. Don't.

Let's take that phishing example from the beginning of the article. The goal of that kind of email is to make you panic and click the link. The link would even look correct, but it isn't really. See you can type whatever you want as the text that's displayed for a link—it doesn't mean that when you click it you will go to that address. Look at the picture below and click to see a larger version on Flickr. You see how the blue text looks like you'd go to usa.visa.com? Yeah, what about the yellow box? Yeah that doesn't look like a VISA url does it?