Phishing - Don't Get Hooked!: The Basics on Avoiding this Old-School Scam

By: David Ellis
Published: August 18th, 2014

Phishing may be old news, but it still works. Ongoing education about phishing scams is essential for anyone who uses your system. It doesn't matter if you have the most secure security system in the world. It only takes one untrained employee to be fooled by a phishing attack and give away the data you've worked so hard to protect.

As part of your security awareness program (PCI requirement 12.6.1), your personnel should be trained at least annually on phishing. I recommend sending monthly memos, or displaying a poster outlining the telltale signs of a phishing attempt. (You can also hang this article in your break room!)

Phishing continues to remain a lucrative criminal profession in our email-packed world. Hackers send out more than 150 million fraudulent emails daily, hoping just a few will click on attached links, documents, or pictures (80,000 people fall victim to these scams each day).

The hackers' goal is to convince recipients to willingly provide Social Security numbers, passwords, banking numbers, PINs, and credit card numbers. Once the malevolent link is opened, hackers create new user credentials or install malware into your system to steal sensitive data. But there are ways to defend against phishing emails.

Phishing has many different faces. Sometimes cybercriminals trick recipients into opening an attachment that loads harmful malware onto their system. Other times, they trick recipients into providing sensitive personal information directly through bogus online web forms. The most successful phishing emails (because they look legitimate) appear as though they originated from reputable companies like Best Buy, Amazon, USPS, DHL, and PayPal. Here are some very tricky phishing scenarios I've seen in my own email.

• Your friend sends you an email telling you he's in a foreign country and desperately needs money. Your friend's email contact list was probably hijacked.
•  An online retailer emails you to let you know an item you purchased online cannot be shipped because your credit card has expired, or your billing address isn't correct, etc. If you click on the provided link, it takes you to a spoofed website and asks for updated payment/shipping information.
•  The IRS emails you to let you know you are eligible to receive a tax refund. It then asks you to submit a tax refund request or tax form. The IRS would never require you to send your tax form by email.
•  Your bank is conducting a routine security procedure and asks you to verify your account by emailing them back with your information. This scam is especially effective if you happen to be a customer of the particular bank portrayed in the email.

It's often difficult to distinguish a fake email from a real one. However, most fakes have subtle "phishy" hints. Here are some ways to recognize a phishing email:

•  Requests sensitive information. Chances are if you receive an unsolicited email from an organization that provides a link and asks you to provide sensitive information, it's a scam.
•  Odd domain names. Don't just check the name of the person sending you the email. Check their email address by hovering your mouse over the "From" address. Make sure no alterations (like additional numbers or letters) have been made. For example: michelle@paypal.com vs. michelle@paypal2.com.
•  Grammatical errors. Possibly the easiest way to recognize a "scammy" email is bad grammar. An email from a legitimate organization usually is well written.
•  Unsolicited attachments. Typically, authentic institutions don't send you attachments, but instead direct you to download documents or files from their own website. High-risk attachment file types include .exe, .scr, and .zip.
•  Links don't match URLs. Just because a link says it's going to send you to one place, it doesn't mean it will. If the link text isn't identical to the URL displayed as the cursor hovers over it, that's a good sign you will be taken to a site you don't want to visit.

If you get a phishing email

•  Don't click on any links, open attachments, or expand any included pictures.
•  Don't reply to the sender.
•  Forward the e-mail to the FTC at spam@uce.gov.
•  Delete the email from your computer.
•  If you do legitimate business with a company mentioned in the phishing email, call them on their nationally published telephone line and ask if they would like you to forward the email so they can take further action.
•  If the email appears to originate from one of your credit card companies, call the telephone number on the back of your credit card--not a phone number listed in the email. Their customer service agent will be able to tell you whether or not the email was legitimate.

David Ellis is the director of forensics investigations at SecurityMetrics and has more than 25 years of security experience. SecurityMetrics is a data security and compliance company offering security consulting, products, and services for businesses worldwide. For more information, visit securitymetrics.com or call 801-995-6858.

Related Stories