Protect Yourself Against Phishing Scams
Phishing is the act of a criminal attempting to lure you into a compromising position, often by disguising themselves as someone reputable, where you then willingly share sensitive personal information. The most common form of Phishing occurs over E-mail, such as a message asking you to respond with your current credit card information as your card on file is about to expire, or perhaps luring you to a fake website where you enter the information.
There are a couple things to keep in mind to protect yourself against phishing attacks:
- Major vendors and organizations will never use scare tactics in E-mails. They may call, or most likely send physical mail if critical issue must be addressed.
- You should NEVER share critical personal information, like credit/store card or account numbers, social security numbers, etc., via E-mail.
- Always hover over links in e-mail before clicking to ensure the destination is legitimate (see image below)
- If the E-mail requires you click a link to enter your information, instead type the company/website information into your Internet Browser manually and navigate to the proper area. E-mail links can be deceiving, and not necessarily lead you to the site or page disclosed.
- If the sender, subject, or E-mail content contain improper English grammar or punctuation, be aware.
- If you receive an unsolicited message from a company/organization/individual you do not ordinarily work with or have never heard of, be aware.
- If a friend or relative sends you any type of message that appears out-of-character, contact them and delete the message. Some types of malware, like viruses, are able to send mass E-mails and social networking messages from infected computers, masquerading as a legitimate message in an attempt to infect additional systems.
This is an example of a real phishing message. Hover over (or tap and hold on mobile) links to expose the actual destination before clicking. Someone that is tricked into opening the Google Docs link below would have instead been directed to a malware infected site, "radiobenemerita.com":
Determining the Validity of a Message
Believe it or not, e-mail is very similar to physical mail in several ways. One such way is just as you can specify ANY return address on an envelope, so you can also easily disguise who an E-mail is from. Therefore, when dealing with a messages that requires validation, further steps should be taken to ensure the message is legitimately from who it claims.
Every e-mail message contains hidden information, called the "header", which shows the exact path a message took before it reached you. If you've received a message from a company disclosing information that you may need to act on, it's best to contact the company directly via the phone or their website first. In the meantime, you can began determining the validity of the message by looking at a header. Please check with your mail program's help documentation to discover how to view message headers.
I received a message from Google, and upon looking at the message header, I can verify that it indeed did come from Google:
The blue outlines the actual server sending the message; this CANNOT be forged, just as you can't forge the postmark on a real mail envelope. The information highlighted in Green - Date, Subject, From - CAN be forged and must be matched up against the area in blue to establish validity.
The following message is an example of a real-life phishing E-mail, where we were supposedly sent an invoice with a link to log-in and review this invoice. The message was considered suspicious because we did not recognize the sender. Further examination of the message header confirmed this. The link in the e-mail, if clicked, would have redirected us to a website attempting to infect the computer with a virus.
The area surrounded by Yellow - which is customizable - shows the message is from "montannasskys.net". However, the area that cannot be forged, in Red, clearly shows the message came originated from "...jino.ru". .RU signifies the system sending the message is controlled by Russia and likely resides in Russia; therefore this message was not opened but rather rejected.
Transmitting Sensitive Information
E-mail is not a secure method of communication, and should NEVER be used to send personally sensitive information. If information of this nature must be sent, the preferred method is to encrypt it, such as within a password protected PDF.
Electronic "Spam" is any message you receive that is not legitimate. Examples include:
- Messages that contain unreadable, non-cohesive, or irrelevant content - such as a random book excerpt.
- Advertising, newsletters, or informational notices that you didn't sign up for.
Spam and phishing messages can often times be similar, therefore it's best to treat all spam as potentially dangerous. When dealing with spam:
- Avoid opening Spam. Messages containing images may track when/where you open the image and therefore confirm your email address is active, potentially increasing the amount of spam you receive.
- NEVER click links within spam, unless the message is from a legitimate, reputable party, such as a large clothing chain, etc. In this case, the message will contain a legitimate unsubscribe link that should be used.
- Mark messages in your Inbox as Spam when they are received to increase the accuracy of your mail program's Spam filtering.
- Do not sign up for random content or contests on the Internet, unless from reputable sources.
- When signing up or creating an account that requires an E-mail address, read the fine print, ensuring to uncheck any boxes that represent your consent to send advertising and/or newsletters.
More than ever, e-mail accounts are being compromised and used maliciously to send messages to other users, often times those users within the account's address book. If you receive one of these questionable messages from another person, make sure to alert them immediately and share the following information:
- If you believe your e-mail or chat account has been compromised, change your password immediately and run an anti-malware (or anti-virus) scan on personal computers. If you're not able to log into your account to change your password, notify the service's customer support immediately.
- To prevent your password from being compromised follow the password tips on this page.
- Don't auto-save your password on your computer (this includes Internet Browsers, E-mail Applications, and Chat Programs). Using this tip will also increase your privacy if other users access your computer.
- Do not use third-party chat programs unless you are certain they are reputable.
- When entering your username/password online, ensure the website is secured.