We get a lot of questions from our customers about the various cyber threats out there. Right up there at the top of that list is Phishing. Most people don’t really understand what it is or what they can do about it, so we’re going to break it down for you.
Why do they call it Phishing?
There’s a really good reason for it. Even if you’ve never gone fishing, you know how it works:
- Get out your fishing pole
- Put the bait on the hook
- Cast it into the water
- Wait to catch a fish
Out in the cyber world, it’s basically the same thing:
- Buy email addresses from the dark web
- Craft an email with fake links
- Send the email to as many people as possible
- Wait to see who clicks on it
It’s a Number’s Game!
The people who do this kind of thing are hoping that you’re not paying attention. They are counting on you to trust something that looks familiar. In short, they are preying on the busy, the unaware, and the lazy. Any one of the three are potential victims that can be exploited…and that covers an ocean of people.
What are These Hackers Trying to Catch?
- Email addresses
- User Names
- Contact Lists
All of it has value. Hackers buy email addresses and contact lists to build new phishing attacks. They utilize or sell user names and passwords to steal personal information for everything from identity theft to personalized marketing scams to security breaches. Every bit of information that they can get from you has a dollar value on the dark web.
How Do You Outsmart the Hackers?
The short answer, pay attention to every email. There are five simple ways to avoid being a victim.
- Look at the Email Address, not just the Sender Name – no legitimate organization will ever contact you from a public domain, i.e. @gmail, @yahoo, etc
Click + to Learn More about Outsmarting the HackersThe problem is that most people don’t even look at the email address, only the display name and subject line. Hackers are smart. In addition to creating a fake email address, they also create fake display names. Because of this, you jump directly to the content.They don’t depend on this alone, good phishing emails also include the correct banners and color schemes to mimic the organizations the email is crafted around. All of it is a distraction to keep you from looking too close at the email address, because those fake email addresses are an obvious giveaway of the scam.Phishing emails evoking Apple, Netflix, Paypal, and Amazon are very common because their logos are common and a lot of people have accounts with them, so if you’re not paying attention, they’ve got you on their hook!
- Pay attention to Spelling—hackers are clever, they will use minor misspellings to fool you into thinking an email address is legitimate; it’s really easy to mistake rnedia for media if you aren’t paying attention
Click + to Learn More about Outsmarting the HackersAs we mentioned before, hackers are smart and they learn from their successes and failures. They know that the email address is the biggest giveaway of the scam, so they try to compensate for it by making the domain name spelling close.Since anyone can buy a domain name from a registrar so long as that name is not currently used, they will use simple misspelling such as Anazon, Neftlix, and Appel to fool you.The goal is to make the email seem legitimate on first glance. We’re going to say this again because it cannot be said enough, the bets way to foil these hackers is to pay attention.Go back and re-read that last line again. Did you see what was written or what you expected to see?
- Read the Content of the Message—odd phrases and blatant grammatical errors are obvious indicators; hackers will use spell checkers so its rare that you will find spelling mistakes, but if there are a string of missed words, it’s probably not legitimate
Click + to Learn More about Outsmarting the HackersWait a second, we keep telling you how clever these hackers are, if they’re so smart why would there be blatant grammatical errors?The short answer is because many of them either aren’t very good at writing or are from non-English speaking countries. The good thing about that is that makes it a lot easier to pick up the differences between a simple typo made by a legitimate sender and an error that is indicative of a scam.Using spell-checkers and translators give them the right words, but not the right context. Look for missing words, grammatical incoherence, and language consistent with previous messages you’ve received from the person or organization. If you’re in doubt, don’t respond to the email, use an alternate method of communicating with them, i.e. use an alternate email, go to their website, call, etc.
- Suspicious Attachments and Links—no legitimate organizations is ever going to send you an unsolicited log-in link or ask for your username or password, only hackers and scammers do that; if you receive an invoice, receipt, or link from someone you don’t know or an email address that looks wrong, don’t click on it!
Click + to Learn More about Outsmarting the HackersAttachments and links are the malicious payload that the hackers are delivering. Let’s take a closer look at these.Attachments often come in the form of documents or PDFs, usually disguised as receipts or invoices. It doesn’t matter if the recipient is expecting the attachment, all that matters is that they open it. Once it is open, the malware is unleashed on the computer and you are on their hook!The best advice we can offer is to never open a document unless you are confident it is legitimate, i.e. you are expecting an invoice because you bought something from the company. Even then, it is prudent to look for anything suspicious in the content–don’t ignore 1-3 just because you are expecting something. Always be aware and pay attention.
Links are a little more tricky as they usually come in the form of a button or are embedded into a phrase. Hackers do this because the destination link won’t match the context of the email, making it another dead giveaway of a scam. Malicious links will point to websites that use key phrases such as “billing” or “membership” surrounded by a series of numbers and letters.
If the malicious link is hidden, how can you know? It’s actually pretty easy. On a computer you can hover your mouse over the button and the full link will show up in a small bar at the bottom of the browser. On a mobile device, hold your finger on the link and you will get a popup with the full link in it. To avoid getting hooked, train yourself to always check the links before opening them.
- The Message contains a Sense of Urgency—hackers don’t want you to think about the email scams because the longer you think about it the more likely you are to realize it’s a scam, so they manufacture importance; they use threats, short reward periods, and risks of missed opportunities to get you to act now! Don’t.
Click + to Learn More about Outsmarting the HackersHackers know that most of us are procrastinators and that the more time we have to think about things, the more likely it is that you will pick up on something from 1-4 above. For that reason, they prey upon our fears of missing out or acting before its too late.These are especially effective in workplace scams, as the hackers know that most people will drop everything else when the boss has an important request. The more urgent the email appears, the more caution that should be exercised in responding.Of all the tools that hackers use, none are quite as effective as a manufactured sense of urgency because it puts the focus on the call to action and off the clues.
With every success and failure, hackers are learning. Phishing attacks are getting more advanced. They’re using better lures. Don’t end up dangling on the hook. Pay attention. Outsmart the hackers and just keep swimming.