A new take on an old Phishing Scam
If someone asks you to change your email password STOP! Do you really know WHO is asking you to make the change?
There is a new version of an old phishing scam going around the Internet that is successfully tricking people. These scams continue to be used for one reason – they work.
What is a phishing scam?
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details/money, often for malicious reasons, by appearing to be a trustworthy entity in an electronic communication. According to the 2013 Microsoft Computing Safety Index, released in February 2014, the annual worldwide impact of phishing could be as high as $5 billion.
Phishing is typically carried out by email spoofing or instant messaging. It often directs users to enter personal information at a fake website that retains the look and feel or are identical to the legitimate site. Generally, the only difference being the URL of the website in concern. Communications purporting to be from social web sites, auction sites, banks, online payment processors, or IT administrators are often used to lure victims. Phishing emails may contain links to websites that distribute malware. (Wikipedia)
What’s new about this phishing scam?
This phishing scam is carried out by sending an email telling the user their account has been compromised and they need to change the password. While that type of a scam is nothing new, users tend to accept these messages because generally there is no request for financial or other personal information.
The difference here is in the time it takes for the hacker to get to your data. Unlike previous scams the hacker sees what you are typing in realtime and then can immediately log into your account. They see everything on their end – where you see dots on your password they see what you are actually typing.
What are some of the best ways to protect against this phishing scam and scams in general?
Here is a list of things to look for that was published on welivesecurity.com in 2016 and is still valid today.
- Be sensible when it comes to phishing attacks
You can significantly reduce the chance of falling victim to phishing attacks by being sensible and smart while browsing online and checking your emails.
For example, never click on links, download files or open attachments in emails (or on social media), even if it appears to be from a known, trusted source.
You should never click on links in an email to a website unless you are absolutely sure that it is authentic. If you have any doubt, you should open a new browser window and type the URL into the address bar.
Be wary of emails asking for confidential information – especially if it asks for personal details or banking information. Legitimate organizations, including and especially your bank, will never request sensitive information via email.
- Watch out for shortened links
You should pay particularly close attention to shortened links, especially on social media. Cybercriminals often use these – from Bitly and other shortening services – to trick you into thinking you are clicking a legitimate link, when in fact you’re being inadvertently directed to a fake site.
You should always place your mouse over a web link in an email to see where exactly you are being sent. Is it the correct website? Is the “linked text” same as “the one you see when you mouse-over”?
Cybercriminals may use these ‘fake’ sites to steal your entered personal details or to carry out a drive-by-download attack, thus infesting your device with malware.
- Does that email look suspicious? Read it again
Plenty of phishing emails are fairly obvious. They will be punctuated poorly, have plenty of typos, spelling errors, and words in capitals and exclamation marks. They may also have an impersonal greeting such as – think of those ‘Dear Customer’ or ‘Dear Sir/Madam’ salutations – or feature implausible and generally surprising content.
Cybercriminals will often make mistakes in these emails … sometimes even intentionally to get past spam filters, improve responses, and weed out the ‘smart’ recipients who won’t fall for the con.
Indeed, it has been rumored that China’s infamous PLA Unit 61398 spends time seeing just how many people would open and interact with their worst phishing emails.
- Be wary of threats and urgent deadlines
Sometimes a reputable company does need you to do something urgently. For example, in 2014, eBay asked its customers to change their passwords quickly after its data breach.
However, this is an exception to the rule; usually, threats and urgency especially if coming from what claims to be a legitimate company are a sign of phishing.
Some of these threats may include notices about a fine, or advising you to do something to stop your account from being closed. Ignore the scare tactics and contact the company separately via a known and trusted channel.
- Browse securely with HTTPs
You should always, where possible, use a secure website (indicated by https:// and a security “lock” icon in the browser’s address bar) to browse. This is of special concern when submitting sensitive information online such as credit card details.
You should never use public unsecured Wi-Fi for banking, shopping, or entering personal information online (convenience should not trump safety). When in doubt, use your mobile’s 3/4G or LTE connection.
As an aside, it should be easier to spot dodgy unsecure websites. Google, for example, is looking to crack down on this soon by labeling sites that do not offer appropriate protection. This means that all legitimate sites will need to soon employ things like SSL encryption (the “green bar”) which helps to make things more secure.
William (Bill) Sikkens has been a technology expert for KXL on the Morning Show with Steve and Rebecca since 2014. With an expertise in I.T., cyber security and software design he has had more than 20 years’ experience with advanced technology. Sikkens conceptualizes and designs custom applications for many professional industries from health care to banking and has the ability to explain the details in a way all can understand. Article edited by Gretchen Winkler.
Please note that links provided are for information only and are not endorsed by Alpha Media, KXL or William Sikkens.
Got a technology question or comment for Bill? Follow him on Twitter @sikkensw