The results of a successful phishing attack can result in a
criminal emptying your back account, stealing your Facebook Account, raiding
your PayPal account, or even hacking into your company’s network.
Most anti-phishing education to date has been focused around
trying to teach people what a phishing attack looks like. I am all for
education and if someone can teach you to be better at spotting a phishing
attack it is a good thing, but the truth is these attacks can be so
sophisticated that even security experts can be fooled or have a very hard time
determining if a specific email is legitimate or not.
To try to help people defend against phishing attacks I use
a method that I believe is far more effective. You see, the problem is not that
you received and phishing email and did not realized you were under attack, the
attack is only a problem if you engage in the behaviors that allow the attack
to succeed. If you follow my two simple rules meticulously you will dramatically
reduce the odds of a successful phishing attack against and it doesn’t matter
if you know it is a phishing attack.
Rule #1
There are only two types of people who ask you for your
password… Thieves and idiots. You obviously do not want to give your password
to a thief, and if you give it to an idiot, they’ll probably get tricked into
giving it to a thief.
So when you get an email that says Hotmail, or PayPal, your
bank, or someone else you do business with needs your password, it is a thief,
not your bank, not PayPal, not EBay, not, Hotmail or Gmail, it is a thief. There
isn’t a problem with your account. They are not updating their security
systems, and it didn’t come from where you thought it did.
A common attack is for a person to call an employee and
claim to be from helpdesk. The conversation progresses and they claim to need
your password, or they need you to change your password to one they provide
you. Changing your password to something someone else provides you is the same
thing as telling someone else your password.
OK, there are exceptions to every rule, but if there is an
exception to this rule, be very, very alert. For example, there may be a rare
situation where IT at your workplace needs your password to help you resolve an
issue. First off, in this case you initiated contact with IT, not the other way
around. The second thing to know is that even if it is a rare, but legitimate
need for your password, as soon as the problem is resolved you change your
password. Not 30 minutes after the problem is resolved, not a day after, but
immediately after the problem is resolved you change your password. Competent
IT professionals do not want to know your password any longer than may rarely
be required.
If it is your Internet Service Provider (ISP) asking for
your password, you are dealing with an idiot. It may not actually be the technician
on the other end of the phone, it may be a higher up who was ignorant enough to
have a technician ask you for your password. Don’t give it to them, it probably
is an attack.
To make it easy, pretend there can be absolutely no
exceptions and whenever you see a request for your password in email, instant
messaging/chat, or hear a request for your password on the phone, remember that
you are dealing with a thief or an idiot and keep your password to yourself!
Rule #2
If you click on a link and it takes you to a login page, don’t
do it. This is the most common type of phishing attack and is equally successful
against high level executives as it is against a grandparent using a computer
for the first time. The real travesty is that millions of times each day
socially irresponsible sites like Facebook and LinkedIn teach people to become
victims of phishing attacks.
Take a look at these two screen shots of emails I have
actually received, and tell me if they are legitimate or phishing attacks?
You really can’t tell from looking and it really doesn’t
matter because I am not clicking on the links in the emails. If these are
legitimate then if I simply log into Facebook and LinkedIn, the notifications
will be there. If these were well crafted phishing attacks, then when I clicked
on them I would be presented with a very, very real looking login screen and a
criminal would have my account credentials after I logged into the fake site.
It doesn’t matter if it is in email, chat, a Facebook
comment or most anywhere else. If you click on a link that asks you to login,
close your browser, open it back up, type in www.facebook.com
or www.linkedin.com or whatever the real
site is and log in there. Anything of importance will be there for you to find.
The fake LinkedIn request has been quite successful against executives, where
password requests to fix a problem with your Hotmail, Yahoo, or Gmail account
work well with the general public.
You may think that there is nothing of value in your
Facebook or email account, but you would be wrong. These accounts can be used
to send spam and to trick your friends into believing a criminal is you so that
your friends can be the victims of cybercrime.
Yeah, there’s more you need to know to be safe online, but
follow these two simple rules religiously and you have drastically improved
your security profile!
Randy Abrams
Independent Security Analyst and Educator for the Masses J
agreed. BTW this phishing quiz is well done.
ReplyDeletehttp://www.opendns.com/phishing-quiz/
Nick Bilogorskiy