What is Phishing?
Phishing is the action of sending someone messages with the intent to deceive them into parting with information they otherwise wouldn’t have shared. While it’s commonly used to try and steal logins, cookies, and other digital data, it can be used to snatch things like government-assigned identification numbers, important medical information, and more.
It’s also not limited to email, despite the common perception – ‘smishing’ is phishing over text using things like fake verification texts, and the ever-popular phone scams can phish by pretending to be a bank or other service that the victim may actually use.
What’s the Risk?
Getting your PII (your personally identifying information) stolen is kind of a nightmare. You probably don’t need me to explain all the ways identity theft can really screw up your credit and reputation!
If a scammer gets ahold of the login to your bank service, and you don’t have 2FA enabled on your account, they can do quite a bit of damage to your account by requesting cards, making fraudulent purchases, or transferring out money. Even if your bank has policies to protect you and undo all that mess, it’s still going to be a very frustrating and anxious few weeks of reclaiming control of your account, communicating with the bank, and the bank trying to track down the phisher (if they even can). That’s just one login!
Aside from the big, important services like your bank and utilities, getting your password and login stolen from a service you don’t consider important can still really suck. It can even lead to the phisher getting into the services you do consider really important. Take a smishing attempt that looks like Fedex has tried to deliver a package, but couldn’t. Were you expecting a package? If you were, you’re probably a little concerned. You don’t notice there’s a typo in the text, or that the number it sent from is different than usual. You click on the link, and it leads you to Fedex Smart Delivery manager, prompting you to log in. If you type in the login, then you just gave them your Fedex credentials! That doesn’t sound like a big deal – Fedex is easy to reset, right? But it is a big deal. Your address is in Fedex. You have your telephone number in Fedex. Your delivery history is in Fedex. The phisher can use some of that information to open accounts in your name that they don’t intend to pay for, which can impact your credit score. Plus, if you reused that password anywhere else, you have to reset it everywhere it was used, because odds are the phisher is going to try and get into everything they can to gather more data and steal working accounts.
How to Better Protect Your Accounts
All of this sounds really painful. Luckily, there are a few tips that can make your information safer! Firstly, don’t re-use passwords. You may groan at the thought, but reusing a password for services makes it much easier to steal an account of yours if they get that password via a site breach or a scam. We recommend a password manager like LastPass – it makes it much easier to store and create unique, strong passwords for every site!
Secondly, you’ll be better protected if you use two-factor authentication on every website that has the option to. If you do fall for a phishing scam, the scammer won’t have the code necessary to get in! Of course, some scams are sophisticated enough to think of that beforehand: Craigslist, for example, had a bad rash of scammers a while back who would “text a code” to a seller “to make sure they were a real person”. The seller then gives them the code, and the scammer now has a Google Voice number with the seller’s phone number as the verified number behind it! They just social-engineered their way into bypassing 2FA. This is why you should never give out verification codes – especially if you didn’t request them. Instead, it might be time to reset the password of the account that verification email came from. Just don’t click any links in those verification emails, either: go straight to the home page of the site instead to log in. The verification email might be a phishing attempt all by itself, hoping you’ll click a fake link to the website!
How To Avoid it in the First Place
It’s better if they never get to test 2FA at all. There are a few key tips to avoid phishing scams. Firstly, is there a sense of urgency? Your utility companies aren’t going to call and say they’ll shut off your water without at least a few mailed reminders that your bill is due! The same goes for your bank. If they demand that you resolve a problem right then, right there, out of the blue, it’s probably a phishing scam (if you’re nervous it’s not a scam, call the alleged company using their number off of their Google page or their real website). This goes for both phone and email phishers.
If it’s an email or a text, ask yourself if you were expecting an email or a text from that company. If you get a Fedex text update that you didn’t sign up for, it might be a phishing scam. If you got a notification from Walgreens that your photos have finished printing, and you didn’t print any photos, it might be a phishing scam. They want you to click or tap the links they include to see what’s going on. Spelling errors are also a common tell – it’s not impossible for a company to make spelling errors in their communications with you, but they won’t be littering the page with them! Phishing scams do that to weed out people who know better so they won’t waste time on targets that won’t crack.
You should also check the sender of the email! Spoofing is a technique that attaches a real name that you might know to an email address or phone number that definitely doesn’t belong to them. Anyone can set their name to George Smith or Big Company Customer Service in Gmail, but they can’t change the email address they’re sending from. If it’s [email protected] and not [email protected], for example, it’s probably a phishing scam.
The same goes for caller ID, although it’s getting harder and harder to tell real calls from fake ones – scammers can set their name to something like “Hospital” or “School” to make it more likely you’ll pick up. Some more sophisticated operations can even make it look like they’re calling from a different number altogether, using VOIP technology to match the area code of the caller to the person being called. Just like in the urgency tip, you should be able to call a legitimate company or organization like a school back from the number they have on their website, or the number you know to reach them at. If they’re really resistant to you hanging up and calling back for reasons that don’t make sense, it might be phishing. Unfortunately, some scam calls are really tough to pick up on, and the FCC can’t do much to stop them if they’re not in the US. Many people today don’t answer their phone unless they were explicitly expecting a call as a result, and phone companies themselves sometimes offer up call and text screening.
Spear Phishing
Spear Phishing is much more sophisticated by default. It’s a scam that can’t just be blasted out to 500 people, they want to get you! They’ll use every trick in the book they can to get you to click a link or give out information you shouldn’t. If they think you have valuable information on your company, for example, they may send an email pretending to be a coworker by using spoofing, and they will write more carefully to avoid misspelling anything. If something doesn’t feel right, it’s important to check the ‘coworker’s’ email address for spoofing, which should stop most spear phishing attempts in their tracks. If you examine the entire domain name for misspellings, you may find one! For example, somebody using [email protected] or [email protected] instead of [email protected] might snag a few people who didn’t look closely enough. A scammer may also try to use a line like “I’m locked out of my work email, so I’m using my personal one” to try and impersonate your coworker. Many organizations have policies against using personal addresses for this exact reason – how can you verify they’re with the company if they’re using Gmail or Yahoo? Anyone could make an account with their name at that point! In this case, if the coworker didn’t warn you or share this address with you beforehand, you shouldn’t interact with the email further. Don’t click any links or attachments in the meantime.
You can even forward the email to IT! If you’re worried that the coworker really needs that sensitive data (which fits into creating a sense of urgency, like mentioned above) consider the risks of falling for a phishing scam vs. the risks of standing your ground when you didn’t need to. A phishing scam can completely pull down your entire operation, lock up or steal files, and wipe computers of their data, setting a company back with nearly nothing. Not giving information out to an email address you don’t recognize can delay a project or annoy a client, yes, but it’s much better than wrecking your organization, in which case you’ll also delay projects, but for much longer as your company recovers from a phishing-based security breach. Better to be safe than sorry!