Phishing: How to Avoid Getting Hooked
What would you do if you got an email that went something like this:
"From American Express Cards: Warning your account has been compromised, click this link right away to verify your card and reactivate it. You won't be able to use your card until you do! Please act now!"
Would you panic? Would you click? I hope, for your sake and your credit score, that you answered "No." to both questions. That is a pretty standard "phishing" message (even though I made it up) and is just one of the many forms of social engineering that we all can fall prey to online. To help you out, and all of us really, here's a little primer on how to avoid getting scammed, bilked, or having your computer become infected with nasties let's call it: Social Engineering 101.
Wikipedia defines social engineering as:
The act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.
Which is an okay definition, but it misses the key part of why social engineering works: we trust people. Social engineering isn't new or really computer centric, a person dressed as a firefighter, police officer, paramedic, can wander around a building or crime scene or fire without question. Why? Because we've been taught/trained that these are people in authority and we need to allow them to do their job without our hinderance. How about someone struggling with packages in front of a security access door. You come up to the door and since you have access to that section, you hold the door for the person. Maybe the person says something like "Man, my door fob is stuck in my pocket…" Social engineering at work. Now, let's look at the computer kind. Before the internet was widespread in offices, one of the best scams was to call up random people at an office with the story "Hi, this is Bill from tech support, we're doing some maintenance on the network. I need to confirm your username and password for the check…" How often does that work? A lot. Like the majority of the time.
Lesson 1: Tech support rarely if ever (like almost never) needs your password for anything. Username? Yeah, that's important, but password? Nope. Look, I've been on front line tech support, if I need to "get into your account to check something" I have the tools and privileges to do it. Worst case, I change your password myself, login, then ask you to change your password again. So even if you call tech support and they ask for your password, push back. They shouldn't need it, and if they do, they're being lazy. This rule goes for phone calls and most especially emails you receive. Just don't give out your password to whoever asks. Not even me. Period. Don't.
Let's take that phishing example from the beginning of the article. The goal of that kind of email is to make you panic and click the link. The link would even look correct, but it isn't really. See you can type whatever you want as the text that's displayed for a link—it doesn't mean that when you click it you will go to that address. Look at the picture below and click to see a larger version on Flickr. You see how the blue text looks like you'd go to usa.visa.com? Yeah, what about the yellow box? Yeah that doesn't look like a VISA url does it?
Lesson 2: Do not ever click on links in any email that purports to come from your bank, credit card company, phone company, utility, PayPal, Amazon, etc. Yes, I know this is harsh, because Telus sends me my bill each month saying "click here" to get it. I don't. Ever. I have a bookmark (actually I know the URL, but that's just me) for Telus. Same as I have a bookmark for my bank. If the email is really from your bank or whatever the information will be on your account online. If you have a question, call them. Not from the email phone number, that might be fake too, from a statement or the back of your card.
Remember, the goal of social engineering is to work with your sense of trust. The emails look like they are official. They might have the same logos and formatting as your bank or credit card company. But if you look carefully you might find typos or other strange things in the email.
Don't rest on your laurels with using Facebook or Twitter either, both of them are just as rife with stuff you shouldn't click. Unfortunately, social networking sites are a little harder to deal with because your friends do send legit links to you. The best I can advise is to avoid some of the known ones like: "is that you in this video/picture" or "I earned $xxx through Google" kind of things. Now, one of the good things about social networking sites is that when one of these nasties start to spread around, word gets around for what not to click.
Part of the problem now isn't just that hackers are after your specific bank account per se, they often just want to gain a toehold into you machine by installing some spyware, virus, or trojan so they can do other stuff later to your computer (capture passwords, logins, etc).
By now you might be feeling pretty panicked, that you can't click on anything, that nothing is safe. That's not true either. You can safely wander the Internet if you just know some basic safety skills. Don't forget, especially for you PC folks out there, to have your anti-virus, anti-spyware, and firewall software installed, running, and up to date. Not that Macs are immune, there are just fewer of those threats out there for Macs, Mac users are just as susceptible to phishing scams where you enter in your bank info to an evildoer as everyone else.
And from last week's contest the winners are...
Netchick and AnthonyFloyd!