How to Spot and Avoid Common Phishing Scams

Identifying phishing in the cyber security world is no time for fish tales. In fact, it costs companies in the US somewhere between $700K and $2 billion each year. Although it’s in the news often and people are more aware than ever of what it is and that it is happening, successful phishing attacks are on the rise. In fact 12 out of every 100 users falls victim to it according to a study of over 8 million people by Verizon. While 12% may seem somewhat insignificant when talking about millions, it is important to understand that a single successful attack may result in a very serious breach to a company network. Therefore, knowing the difference between a whale of a tale and a real day on the pond is very important.

Here are some of the most common phishing attacks (in no particular order) and what to do to avoid falling victim to them:

Pharming. This is where a website’s domain is hijacked and is used to redirect unsuspecting website visitors to a fake site. Primarily this type of scam intends to steal credentials and sensitive information by asking the user to enter details into a form. A domain is essentially the street number and street name of a website and usually comes after the “http” or “www” of a site name and before the “.com.”

• To avoid this, get into the habit of not clicking links in email messages or that you are not 100% certain are legitimate. Hover over the URL to confirm the web address of the site and make sure it goes where you expect it. If you think it should go to PayPal.com, but it goes to PayPalConfirmations.com, it should be considered very suspect.

Deceptive or Generic Phishing. This involves email messages being sent asking users to enter information into a form or re-enter details. It can also ask for payments. Often they appear to come from a known sender and are difficult to identify as fake. However, the sender may be unknown as well.

• Avoid this by paying attention to the greetings. If they are generic or make little sense to you, do some additional verification. If the request asks for information that should already be in your account details, go directly to your account and do it there. Don’t fill out forms that pop up as a result of a clicked link or in an attachment, regardless of what type of attachment. Just get into the habit of immediately deleting email messages from strangers that ask you to click a link or open an attachment. It’s safer that way.

Spear-phishing.  This is more sophisticated than deceptive, or generic, phishing and typically more difficult to detect because they may come from a supervisor or manager, a co-worker, a vendor, or service provider among others with whom you may do business. Often it appears the message comes from an executive or high-level manager. The information the cybercriminals use may be found on social networks, business networking sites, or various other information sources. They usually ask for banking details or other sensitive information and in some cases, ask for money to be transferred somewhere that typically ends up in the criminals’ pockets.

• Avoiding these may be a bit trickier. The hackers are getting more creative and more detail-oriented at targeting us for phishing. If they ask for sensitive information such as payroll details or social security numbers, or ask for money to be wired, take that extra precaution and call the sender to confirm before doing anything else.

Shared drive phishing. This refers to any location where shared documents may be stored such as Google Docs, iCloud, or Dropbox.  The intent may be to gather sensitive details, but could also be to install malware on your system. Often the landing page is a real page such as on Google Drive. They may intend to get login credentials for your Apple account or Android applications or any other account details that may be valuable to them or they may be trying to get you to  execute malware.

• Avoid this by using multi-step verification and verifying with the sender that the request is legitimate. Look for typos and poor grammar and be 100% sure you are responding to a real request before taking any action.

Phishing is serious business. So much so that the cybercriminals use big names in hopes of tricking you and they succeed far too often. Company names used for phishing include Apple, PayPal, eBay, and of course Microsoft. Companies where users fell victim are no small phish either. They include Target, Snapchat, WhatsApp, and Etna.

Remember the key to knowing if it’s safe to open an attachment or click a link that is emailed is if it is expected or a complete surprise. If you are expecting it, it’s probably just fine.

© Copyright 2016 Stickley on Security