- Susan Snedaker
Can I Trick You? This is NOT About Halloween
October is Cybersecurity Awareness Month
In this second of four blog posts, we'll look at phishing. You might think you know all about phishing, which is the use of malicious email to trick you into providing confidential information to hackers, like your username, password, account number or mother's maiden name. Here are a few things you may not know that might help you avoid becoming a victim of a phishing attack.
Phishing Emails Have An Email Address - Look Beyond the Display Name
When you look at an email in your application or online, you see the name assigned to that email address. For example, I could create an email address of email@example.com and I could create a display name of Bank of America Fraud Alert. The name has nothing to do with the underlying email address.
So, when you see the display name, click on it and see what it says underneath. Don't rely on a display name that looks like this: Bank of America Fraud Alert <firstname.lastname@example.org> because that's all part of the display name. Tricky, right? Look at the underlying email address by clicking on it in the header to see who's really sending that email.
Step Away From Your Keyboard
Phishing emails have become very sophisticated. I know a few cybersecurity experts who had to take longer than usual to determine if an email was legitimate or not because attack methods continue to evolve. Regardless, attackers know one thing is true of all humans. We're vulnerable to reacting on impulse based on strong emotions - fear being one of the most powerful.
In addition, even sophisticated users are sometimes tricked because there was an unusual confluence of events. For example, you just closed on your mortgage yesterday and today you get an email saying there's a problem with your mortgage and you should click a link immediately to resolve the issue or your mortgage will be declined. Did the bad guys know you just got a mortgage? Sadly, they might. Or, it's just an unfortunate coincidence. Either way, your concern about closing on your home is amped up by this potential snag.
The best advice? Literally step away from your keyboard or put down your phone. Stop, breath, think. Repeat.
Of course, all the well-worn advice applies here. Contact your mortgage company (or whatever company is being spoofed) directly based on a phone number on a statement or on the company's official published website if you are concerned there might really be an issue. NEVER click the links, NEVER call the phone number provided in the email, NEVER reply to the email. Mark as spam and delete.
Learn to Hover
If you slowly move your mouse over a link (this is called 'hovering'), you'll see the web address (URL) that it will direct you to. You don't have to click a link to see this (please do NOT click the link), but it will show you the address. You should look at it very carefully because hackers are tricky and make web addresses slightly different from legitimate ones in hopes you'll miss the difference. For example, instead of www.bankofamerica.com you'll see www.bantofamerica.com . The "t" in the fake address looks similar to the "k" in the real address and if you're not looking closely, you could easily miss this difference. That said, avoid clicking links unless you are absolutely certain it's a legitimate email and a legitimate link. But it's always better to just go directly to the published website in question rather than click a link.
And, in the event you are tricked into clicking a link and you are directed to a website that starts asking you for personal or confidential information in order to log in or in order to [stop whatever bad thing the email is threatening], close the web browser immediately. Only enter your login credentials on a website you went to directly (open a browser, type in the address). If you've entered your bank information on a bogus site, for example, go directly to your bank's website, log in and change your password immediately and notify the bank, if appropriate.
What Seems Time Sensitive Usually Is Not
There are very few emails that require you to respond within minutes. Think about people in business. They may be in a meeting, they may be on a break, they may be on vacation. Email is not your best bet for something that requires a timely or immediate response. Most people use text or even (gasp) an actual phone call. So, an email that makes you think the world will come crashing down immediately is more than likely a scam.
Finally, Don't Let Your Big-Heartedness Be Your Downfall
These days, there are tragedies and disasters all over the world. Many very legitimate organizations are raising funds to help people in all different ways. But these tragedies are also perfect bait for the bad guys. If you are so inclined to donate time or supplies or money to these causes, don't respond to emails unless you're truly certain they're legitimate. The safer bet is to do an online search for the organization's official, published website and contact them directly.
As we head into the holidays, there will be holiday themed scams as well - preying on your desire for a limited time discount or an urgent need to help a cause. Don't be fooled.