Phishing
IT Support: We've received multiple failed log-in attempts to your email account. Unless you verify your credentials within the next 24 hours, your account will be suspended!
Sometimes, just as in reality, someone will come up to you unexpectedly and offer something, tell you that something is wrong, or invite you to take an opportunity you can't miss. This can happen at any time from when you turn on your computer to when you turn it off. It may be in the form of an email, instant message, a pop-up while navigating some web page, or even a prompt seemingly coming from your operating system. As a rule, whenever you are prompted to respond to something you weren't expecting or seems unusual in context, you should allow for the possibility that you are being phished.
Phishing is the online version of the "con", that age-old art that preys on unsuspecting "chumps" who find themselves trusting or believing complete strangers. It uses psychological tactics to lure unsuspecting users into paying money, downloading malware or voluntarily disclosing sensitive information. It doesn't care about what security you've implemented because it attempts to bypass it altogether. Its goal is to get you to drop your guard and “act before you think” rather than “think before you act.” Some attempts at phishing are easy to spot; others are amazingly convincing. Often it plays on our sympathies, fears, likes and dislikes, and is authoritative, threatening or teasing. It is especially effective on those who are already distracted with multitasking, naive, impatient, stressed or under the influence of alcohol. It is a major mechanism for identity theft, credit card fraud, corporate security breaches, and the spread of malware throughout the web today, and phishers are getting better and better at finding new ways to fool you. Here are some tips to help you recognize and take action against this online threat:
CLOSING THE POP-UP: Don't use your mouse to select any links or control buttons. Use the key combination Alt + F4 (Cmd + W or Cmd + Q on a Mac, if you happen to have one) to close it. You may also bring up the Task Manager by pressing Ctrl + Shift + Esc (Cmd + Opt + Esc on a Mac to Force Quit) and close the suspect application manually.
You can minimize the occurrence of phishing attempts by following these tips:
Remember, before you open or click on something unexpected or unusual, STOP, LOOK and take a moment to examine it before responding. If it offers a link, you may hover your cursor over it to verify that the link points to the purported destination. Even then, a link pointing to a legitimate site may still be accompanied by malicious scripts, which is why you should never click on any links from a non-trusted source. Spoofed emails can overtly appear to have been sent by people or organizations you trust. Only by carefully examining an email's source or header information is it possible to trace its true origin and history. However, you can check the address where your email client will be sending any replies; most will specify this in a mouseover within the "Sender" or "From" column of the inbox without having to open it. Verify that the address, particularly the domain, is valid. Although this doesn't prove the email came from there, or that the body of the email is safe to interact with, it will at least tell you where any information you reply with will be sent.
Keep in mind that events in the news that affect a significant number of consumers, like a newly enacted assistance program, blockbuster movie or video game, natural disaster or a bank hack will almost certainly be accompanied by a wave of phishing attacks designed to capitalize on the public's increased awareness of, and thus susceptibility to responding to, these events. Be on your guard and don't assume that the email you just received really is from whom you would expect. Always refer to the official website and go to the source.
If you'd like to learn more about current phishing tactics, the Anti-Phishing Working Group (APWG), National Cyber Security Alliance (NCSA), and Onguardonline.gov offer links to resources and provide many interesting examples of such scams.
As informative as I've tried being here, I can offer no universal "formula" for recognizing phishing. Phishers rely heavily on those who are not familiar with their tactics, have limited or no savvy with computers, security and the internet and consequently ignore threats, or become overly excited or panic when faced with unfamiliar situations. However, even experienced users are now being challenged with newer phishes that are almost indiscernible from the real thing. As such, the best way to avoid being victimized by phishing is to arm yourself with knowledge. New knowledge. Reserve an hour with a cup of coffee or tea at hand and browse through the above sites at your leisure. Consult your email and browser support websites for tutorials and become an expert in their use. Visit your local library's website to find out about free computer training. Learn as much as you can about your computer, your software, the websites you do business with, and anything else you use it for. After a while, you will develop a sense for what is legitimate and what is not, and recognizing the "phish", even new ones, will become intuitive.
Microsoft Support
Mozilla Support
Google Support
Phishing is the online version of the "con", that age-old art that preys on unsuspecting "chumps" who find themselves trusting or believing complete strangers. It uses psychological tactics to lure unsuspecting users into paying money, downloading malware or voluntarily disclosing sensitive information. It doesn't care about what security you've implemented because it attempts to bypass it altogether. Its goal is to get you to drop your guard and “act before you think” rather than “think before you act.” Some attempts at phishing are easy to spot; others are amazingly convincing. Often it plays on our sympathies, fears, likes and dislikes, and is authoritative, threatening or teasing. It is especially effective on those who are already distracted with multitasking, naive, impatient, stressed or under the influence of alcohol. It is a major mechanism for identity theft, credit card fraud, corporate security breaches, and the spread of malware throughout the web today, and phishers are getting better and better at finding new ways to fool you. Here are some tips to help you recognize and take action against this online threat:
- Know your enemy. The "phish" is usually recognizable from its air of urgency and call for immediate action, such as clicking on a link, downloading a file or contacting someone. It will attempt to establish trust by appearing to come from a friend or popular authority, upon which it will invariably appeal strongly to your emotions or proclivity to habit, and not your reason, to elicit a hasty response.
- Resist the sense of urgency and give yourself time to think. When it comes to online safety, there is no such thing as being overly cautious, so don't let it tell you to "just do it." Check the URL and examine the message for anything unusual or out of context. Any generalized greeting, vaguely subjected invitation, misspellings, sensational or scary headline, offer that seems too good to be true, legal or financial threat, and absolutely any reference to personal accounts or passwords should bring up a red flag.
- Don't let anyone take you there; go there yourself. Redirecting links, spoofed websites, fake anti-virus alerts... all are designed to steer you away from the real thing and show you an imposter. If you suspect the message of being a phishing attempt, or just aren't sure, report the email as spam or delete it (avoid the "unsubscribe" or "remove from mailing list" links) or close the pop-up using the method described below. Then check directly with your operating system, anti-virus, trusted website, bank, local authority, news media or friend and verify for yourself if what it claims is true.
CLOSING THE POP-UP: Don't use your mouse to select any links or control buttons. Use the key combination Alt + F4 (Cmd + W or Cmd + Q on a Mac, if you happen to have one) to close it. You may also bring up the Task Manager by pressing Ctrl + Shift + Esc (Cmd + Opt + Esc on a Mac to Force Quit) and close the suspect application manually.
You can minimize the occurrence of phishing attempts by following these tips:
- Have good anti-virus and firewall software installed on your computer (see Firewall and Anti-Virus).
- Make sure your operating system, programs and plug-ins are always up to date (see Software Updates).
- Set your browser to block pop-ups.
- Don't click on any links or open email attachments unless they are from someone you trust, and even then be extra careful.
- Protect your local user and online accounts with strong passwords (see Secure Passwords).
- When browsing questionable web sites, set your browser security to high (see Turn Off Scripts under Browsing Safely.)
- Download programs directly from the manufacturer's website, not through third-party links.
- If you're taking a computer outdoors, make sure it is secure (see Portable Computers).
Remember, before you open or click on something unexpected or unusual, STOP, LOOK and take a moment to examine it before responding. If it offers a link, you may hover your cursor over it to verify that the link points to the purported destination. Even then, a link pointing to a legitimate site may still be accompanied by malicious scripts, which is why you should never click on any links from a non-trusted source. Spoofed emails can overtly appear to have been sent by people or organizations you trust. Only by carefully examining an email's source or header information is it possible to trace its true origin and history. However, you can check the address where your email client will be sending any replies; most will specify this in a mouseover within the "Sender" or "From" column of the inbox without having to open it. Verify that the address, particularly the domain, is valid. Although this doesn't prove the email came from there, or that the body of the email is safe to interact with, it will at least tell you where any information you reply with will be sent.
Keep in mind that events in the news that affect a significant number of consumers, like a newly enacted assistance program, blockbuster movie or video game, natural disaster or a bank hack will almost certainly be accompanied by a wave of phishing attacks designed to capitalize on the public's increased awareness of, and thus susceptibility to responding to, these events. Be on your guard and don't assume that the email you just received really is from whom you would expect. Always refer to the official website and go to the source.
If you'd like to learn more about current phishing tactics, the Anti-Phishing Working Group (APWG), National Cyber Security Alliance (NCSA), and Onguardonline.gov offer links to resources and provide many interesting examples of such scams.
As informative as I've tried being here, I can offer no universal "formula" for recognizing phishing. Phishers rely heavily on those who are not familiar with their tactics, have limited or no savvy with computers, security and the internet and consequently ignore threats, or become overly excited or panic when faced with unfamiliar situations. However, even experienced users are now being challenged with newer phishes that are almost indiscernible from the real thing. As such, the best way to avoid being victimized by phishing is to arm yourself with knowledge. New knowledge. Reserve an hour with a cup of coffee or tea at hand and browse through the above sites at your leisure. Consult your email and browser support websites for tutorials and become an expert in their use. Visit your local library's website to find out about free computer training. Learn as much as you can about your computer, your software, the websites you do business with, and anything else you use it for. After a while, you will develop a sense for what is legitimate and what is not, and recognizing the "phish", even new ones, will become intuitive.
Microsoft Support
Mozilla Support
Google Support
Telephone Scams
While technically not an online concern, this is worth mentioning because it happens all too often. You may receive a phone call from someone claiming to represent Microsoft, "Windows", Dell or some other well-known authority. They may tell you that your Windows license has expired (Windows licenses don't expire), that your computer is severely infected with viruses (and later show you "evidence" like fabricated system logs to prove it), or that there is some other alarming issue that requires immediate attention. They may then pressure you into supplying them with credit card or other personal information, or allowing them access to your computer in order to fix the problem. No matter what the caller ID indicates, unless you've already initiated a session with customer support, you are being scammed. Take note of the caller ID and hang up immediately. You shouldn't ever receive such a call (or email, for that matter) from Microsoft or other big name unless you first contact them and open a support ticket. You can report these calls to the Federal Trade Commission online or by calling (888) 382-1222.