Phishing is a wide spread Internet plague that is often used
to fraudulently obtain usernames and passwords, bank account numbers and PINs,
and other information used to commit cybercrimes such as banking fraud,
identity theft and corporate espionage. Phishing attacks may come in the form
of links in email requesting for passwords, or malicious webpages that will appear
to be legitimate.
A successful phishing attack can result in a criminal emptying your
back account, stealing your Facebook Account, raiding your PayPal account, or
even hacking into your company’s network.
Most anti-phishing education to date has been focused around
trying to teach people what a phishing attack looks like. I am all for
education and if someone can teach you to be better at spotting a phishing
attack it is a good thing, but the truth is these attacks can be so
sophisticated that even security experts can be fooled or have a very hard time
determining if a specific email is legitimate or not.
To try to help people defend
against phishing attacks I use a method that I believe is far for many people to understand.
You see, the problem is not that you received and phishing email and did not
realized you were under attack, the attack is only a problem if you engage in
the behaviors that allow the attack to succeed. If you follow my two simple
rules religiously, you will dramatically reduce the odds of a successful
phishing attack against you, and it doesn’t matter if you know it is a phishing
attack.
Rule #1
There are only two types of people who ask you for your
password… thieves and idiots. You obviously do not want to give your password
to a thief, and if you give it to an idiot, they’ll probably get tricked into
giving it to a thief.
So
when you get an email that says Hotmail, or PayPal, your bank, or someone else
you do business with needs your password, it is a thief, not your bank, not
PayPal, not EBay, not, Hotmail or Gmail, it is a thief. There isn’t a problem
with your account. They are not updating their security systems, and it didn’t
come from where you thought it did.
A
common attack is for a person to call an employee and claim to be from
helpdesk. The conversation progresses and the caller claims to need your
password, or they need you to change your password to one they provide you.
Changing your password to something someone else provides you is the same thing
as telling someone else your password.
OK,
there are exceptions to every rule, but if there is an exception to this rule,
be very, very alert. For example, there may be a rare situation where IT at your
workplace needs your password to help you resolve an issue. First off, IT needs
to find a better solution. If IT really does need your password then you probably should
be the one who called IT for help, and not the other way around. Once IT has finished helping you, change
your password immediately. Not 30 minutes after the problem is resolved, not a
day after, not 3 minutes after, but immediately after the problem is resolved
you change your password. Competent IT professionals do not want to know your password
any longer than may rarely be required.
If it is your Internet Service Provider (ISP) asking for
your password, you are dealing with an idiot. It may not actually be the
technician on the other end of the phone, it may be a higher up who was ignorant
enough to have a technician ask you for your password. Don’t give it to them,
it probably is an attack. Never give your ISP your password.
To make it easy, pretend there can be absolutely no exceptions to this rule and whenever you see a request for your password in email, instant messaging/chat, or hear a request for your password on the phone, remember that you are dealing with a thief or an idiot and keep your password to yourself!
Rule #2
If you click on a link and it takes you to a login page,
don’t do it. This is the most common type of phishing attack and is equally
successful against high level executives as it is against a grandparent using a
computer for the first time. The real travesty is that millions of times each
day socially irresponsible sites like Facebook and LinkedIn teach people to
become victims of phishing attacks by sending email with links in them.
Take a look at these two screen shots of emails I have
actually received, and tell me if they are legitimate or phishing attacks?
The
correct answer is “IT DOESN’T MATTER!” You really can’t tell from looking and
it. Do not click on the links in the emails. If these emails are legitimate
then simply log into Facebook or LinkedIn by entering www.facebook.com or www.linkedin.com yourself. The notifications will be
there. If these were well crafted phishing attacks and I clicked on the links, I
would be presented with a very, very real looking login screen and a criminal
would have my account credentials after I logged into the fake site.
It
doesn’t matter if it is in email, chat, a Facebook comment or most anywhere
else. If you click on a link that asks you to login, close your browser, clear
the cache (delete temporary internet files, open your browser back up, and then
type in www.facebook.com or www.linkedin.com or whatever the real site
is. Now you can log in there. Anything of importance will be there for you to
find after you log in by typing in the URL yourself. The fake LinkedIn email
scam has been quite successful against executives. Password requests to fix a
problem with your Hotmail, Yahoo, or Gmail account work well with the general
public.
You may think that there is nothing of value in your
Facebook or email account, but you would be wrong. Your email and social
network accounts can be used to send spam and to trick your friends into
believing a criminal who hijacked your account, really is you in order to make your friends new victims of
cyber crime.
Yeah, there’s more you need to know to be safe online, but
follow these two simple rules religiously and you have drastically improved
your security profile!
Randy Abrams
Independent Security Analyst and Educator for the Masses
