Phishing is a technique that involves tricking a user to steal confidential or sensitive information, passwords, etc. Phishing can come in the form of email messages or posts on social media websites and apps and most appear to be from person or business you know.
There are two predominate ways that Phishing messages try to take advantage of the user. Phishing messages often request a user to reply sending sensitive information or they will provide a link to a website that has been comprised and setup to appear like a website you have business with or are familiar with.
Request for sensitive information
Phishing messages may seem like they are coming from a person you know. They may even appear to be sent from the same email address but will have a different reply address that is not the same as the person you know. When replying to any email take a moment to make sure the address you are sending to is the same as the user. For example, a email may come from Joe Smith (email@example.com), but when you hit reply the email address in the to field now becomes Joe Smith (firstname.lastname@example.org). Thus, your email is not being sent to Joe Smith (email@example.com) but rather Joe Smith (firstname.lastname@example.org).
Request for information through a website link
Some phishing messages may include a link that takes the user to a site known to have a confidential website, but they’re mere mimics with zero confidentiality. Thus, overconfident users could be involved in attacks that are aimed to steal personal data.
Any easy way to tell if the link is legit is to hold your mouse over the link. If the text for the link says amazon.com/myaccount but the text in the tooltip that pops up says amazon.somewherebad.com/myaccount or amzone.com/myaccount it is not the same site and you should never click on it. If fact, a good rule of thumb is to never click on the link, but rather open your web browser and navigate to the site through google search or by typing the address in yourself and doing so only for sites or companies you are familiar with.
So, what can I do?
It is easy to be tricked and the phishing messages are becoming more and more savvy. It is always a good rule of thumb, that when asked for any sensitive information or when sent a suspicious message to double check with the user or business for whom the message appears to have come from. Give them a call or send them a separate message asking “Hey did you send this”.
So what if I have to send sensitive data to someone?
The easy answer is don’t. But if you absolutely must you will want to use an encrypted email service or put a password on the file you are sending then call and verbally give the password over the phone to the recipient. Most programs like excel, word, pdf or zip files allow you to password protect the file.
Here are 10 tips from phishing.org on how to avoid phishing attacks.
- Keep Informed about Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one.
- Keep Link Clicking to a Minimum – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hyperlinks are commonly used to lead unsuspecting Internet users to phishing websites. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead?
- Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.
- Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Don’t just take a site’s word for it, though – always look for a few things before you provide your credit card information. For one thing, the site’s URL should begin with “https.” For another, you should see a closed lock icon near the address bar. Check for the site’s security certificate as well.
- Check in with Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too.
- Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.
- Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.
- Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.
- Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call.
- Use Antivirus Software – There are plenty of great reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time.
Additional information about phishing can be found at phishing.org.