Anatomy of a Phishing Scam
How to Avoid Being Tricked By The Automated Army Of Hackers
Part I: Identifying the Problem
“Phishing” is the practice of fooling unsuspecting people into voluntarily giving away their most sensitive data — user names, passwords, social security number, birth dates, and more — by disguising their communication requests to look authentic. Given how easy it is to digitally copy a corporation’s official communication template, this problem is actually far worse than you could ever imagine. Hackers leverage the power of computers to automate sending phishing scams. Hundreds of millions of phishing emails are sent every day for pennies and only a small percent need to work for the system to be rewarded. And rewarded it has been.
- In 2016, 85 percent of all organizations had suffered phishing attacks and 30% of all phishing emails were opened.
- In 2017, fake invoicing emails sky-rocketed, CEO fraud emails total $5 billion in losses, and phishing emails that targeted people filing their W-2 forms increased 870%.
- In 2018, fake invoices becomes the #1 disguise for distributing malware, Dropbox phishing scams surge and DocuSign lures are the most effective.
Not enough? The following statistic will blow your mind:
By the end of 2017, the average user was receiving 16 malicious emails per month.
— Symantec, from the company’s 2018 Internet Security Threat Report
Given how bad the digital landscape is right now, I thought it was time to let folks know how best to protect themselves from this kind hacking.
Part II: How Phishing Looks in Email
Most phishing attacks are designed to do one thing very well: fool you.Specifically, they’re designed to fool you into thinking that you’re going online to do the things that you normally do, such as logging into Facebook, Amazon, Google or Apple. The cunning ones are designed to make you believe that you’re logging into your bank or credit card website.
The problem, of course, is that you’re not actually doing these things: instead, you’re logging into something that only looks like your favorite social media or financial websites and, without realizing it, providing your username and password to a “front” website operated by hackers who collect your data and use it to take advantage of you and others.
Pictured above are three examples of what a typical phishing attack can look like. But those are just examples from the interwebs: let me show you something from my own email inbox, ok? Here’s something I just got yesterday and lucky me: I’ve won a prize! From Google, no less! I’ve made the image quite large, so you can see the some of the obvious signs that this a phishing attack. You’ll note that I made use of the button in gmail — in the red box at top left — that allows you to “show details” about any email you receive.
- Strike 1: In the green box at the top, you’ll note that the actual email address doesn’t look recognizable or like a valid Google email address. RED FLAG!
- Strike 2: In the pink box at center, you’ll note that the URL doesn’t look standard, recognizable or known. RED FLAG!
- Strike 3: In the orange box, you’ll note that whoever sent this email didn’t proof for proper grammar. That rarely happens with corporate emails. RED FLAG!
- Strike 4: In the blue box, you’ll note that the website that delivered this email has the word “bounces” in it.
- Strike 5: When I copy and paste the website into DuckDuckGo to see if it’s a valid Google site, I see clearly (below) that it’s not.
Final analysis: I’m not clicking on anything this email is offering.
Part III: Prevent Phishing via Email Using “Best Practices”
Here are the rules (or best practices) you should implement to help prevent a phishing attack:
- Always confirm that every email comes from a valid, known or recognizable email address. The name displayed on an email isn’t an accurate indicator of the true sender: always double-check that the actual email address is correct. Phishing attacks sometimes contain the names of people we know because their address books (or ours) have been compromised. Those real names are then paired with bogus email addresses in an attempt to fool us. If any email address is unknown or odd-looking, send it to spam. Don’t worry about trashing something important: the important people in your life know how to contact you by other means.
- Never click on any link in any email, without first confirming that the URL is a valid, known, standard or recognizable website. Right click on any link to bring up a contextual menu to copy it; then paste it into a text editor. If the link doesn’t look valid, known, standard or recognizable: trash the email or send it to spam. For more info, search for the URL on DuckDuckGo to confirm it’s been indexed and known by a valid search engine.
- Never open any email attachments from any person that you weren’t already expecting. Your co-worker tells you she’ll be sending over the code for that new software application you’re co-authoring. Great! You know it’s coming and have cause to expect it in your inbox. Someone else sends you a Microsoft Word document and says “Check this out!”? Don’t open that attachment. Instead, text or call the person and confirm they’ve sent you that specific attachment.
- Always confirm that any email you receive from any online service that you use is valid. Get an email from Dropbox, Amazon or Apple asking you to log into your account? No problem: first prove that the emails are valid. Check the URL, sender email address and subject lines for anything suspicious. If you’re still unsure, log in to the service via their known, valid website.
- Only click on any email links that include the “s” in “https://”. That “s” means that the website is secure and has a certificate of security to back it up. These certificates can, themselves, be spoofed but it’s one indication that the website may be valid. Clicking on the “Secure” indicator in most browsers (Chrome is shown here) will reveal this certificate.
Some of the tips above will bother you — some slightly, others more so — because they’ll make email less convenient. I won’t apologize for that: convenience without security equals danger, something we should all remember. That being said, there are a few ways to help automate this process if you feel the above list is too difficult for you:
- Use multi-factor authentication. I discussed this in an earlier piece and can’t recommend it enough. If multi-factor authentication is enabled, even If attackers were to ever gain your username and password, they’d still need a rotating, six-digit code to proceed which appears only on your cell phone.
- Use Slack instead of email. Some of you know about Slack, others might not. It’s a communications tool that combines email, chat and discussion boards all into one. Individuals and companies both use slack. Corporations who pay to use it require all users to log on with valid credentials. That means — generally speaking — that it’s safer to open documents from your co-workers on Slack than it is via email.
- Only check email in a VM. This one takes work but is far safer than the alternatives. I keep several easy-to-open virtual machines (or VM’s) on my computer. Sometimes, if I’m wary about a particular email, I might open that email inside of a VM. Then, if there’s any damage done to the operating system or other software applications, I can either delete or reset the VM with no damage done to my actual computer. A 100% free VM can be set up using Virtual Box and the Ubuntu operating system, which is built on the open-source Linux platform.
Also, did you check those last two links were valid and secure before clicking on them? Hmm? Remember: trust no one, not even me, my friends.
Learning how to spot a phishing attack only takes a few minutes. Daily practice will make you more knowledgeable, more quickly. Then, once you’ve become a master yourself: share your knowledge with others. Make sure your friends, family and coworkers learn these best practices. You’ll be saving money, embarrassment and lost time for who know how many people.
Of course, let me know in the comments section if you’ve got a better tool or tip that the rest of the community should know.
Until then, friends…
Originally published at www.datadriveninvestor.com on August 20, 2018.