I’ve been a little alarmed lately at the increasing number AND sophistication of the phishing schemes that I’ve seen. As a result, I thought I would document some of those here, to help protect our clients.
Let’s start with the basics, so we’re all on the same page. As the term indicates, phishing schemes are attempts by hackers (and automated bots) to cast a line to you and see what you bite on…
Most typical phishing schemes take place in email or on a web page. These emails and web pages look JUST LIKE the actual email or web page, but contain links to malicious sites or code that attempts to collect sensitive information from you.
The thing that I find alarming about these attacks is that they are becoming increasingly elegant and therefore, more sophisticated. It used to be that you could spot a phishing scheme a mile away… the color schemes were wrong, the logo didn’t look quite right, there were typos in the text or the message looked like it was written by someone from another country.
That’s just not the case anymore. I recently received the following email from “Facebook”. It’s pretty close to the actual Facebook emails. There were a couple of things that I found odd with this one though… there wasn’t a profile picture (ok, a broken image link isn’t really all that out of the ordinary), Facebook is repeated twice in the text of the email, I don’t know an Anthony Howard (I apologize in advance to all the real Anthony Howards out there) AND there was not a friend request in Facebook from this person. This is the real indicator that something isn’t right with this email.
After further investigation, I found that this phishing scheme was after my Facebook password. If I clicked on the ‘Confirm Friend Request’ or ‘See All Requests’ button, I was prompted for my Facebook password. Had I entered it, the hacker would have had full blown access to all of my Facebook accounts.
What you need to realize is that NO TECHNOLOGY, VIRUS SCAN, THREAT PROTECTION OR FIREWALL CAN STOP THIS TYPE OF ATTACK. The only way to stop this is to train your users to NOT click on the link. Pretty scary, huh?
The cure for this malicious activity is education and awareness. I was recently asked to give a presentation for Kiwanis on identity theft and online security. I shared everything that I know about protecting online identities and online security in an effort for the attendees to understand and be aware of how these attacks happen.
Here’s the secret ingredient for protecting your company… whether it is an email or a web page, look at the URL for the link before you click on it. In the above Facebook example, the URL for the ‘Confirm Friend Request’ or ‘See All Requests’ should go to http://www.facebook.com… If it doesn’t, don’t click on it.
I’m seeing these phishing schemes for airline tickets, FedEx shipments, United States Post Office pickups, Facebook and many other spoofed sources. My personal favorite is the fake virus protection software that is actually a virus in itself. Know what virus protection software you use and don’t click on warnings from any other virus protection packages!
The bottom line is this… don’t be click happy. Just because it looks like something you are interested in or it is something familiar to you, doesn’t mean you should click on it. Hackers want to exploit your confidential information. Don’t give them the opportunity.