What is Phishing and how you can protect yourself from it?

Late one Vegas summer evening, I get a phone call from my bank asking me if I had left the country in the last few days. I said no and asked why they were calling. They said they saw a few attempted purchases from different locations in the US and out of the country in the last hour. The bank did not ask for any details but instead provided me with details, such as where I spent money, when I spent money, and how much. They then asked if I tried to spend money at a Walmart in Alabama for $400, as I was in Vegas, I said no. They then asked if I tried to spend the same amount somewhere in Germany. Again, I said no. They promptly canceled my debit card and stated they would be sending me a new one within the next few days. That’s when I found out that my information was Phished from my child that was trying to purchase something online and thought it was a legitimate website, but he neglected to tell me what he did. That was my first encounter with a Phishing Scam.

 

What is Phishing?

Phishing is a fraudulent practice of usually sending emails claiming to be from a reputable company in order to steal personal information such as, but not limited to, passwords, credit card numbers, or login information. These thieves then either use your information to steal from you or they sell your information to other thieves. Usually, the phishers send out an email stating they had a security breach, and that the victim needs to click on the link in the email to change your password. Once a user clicks on the link, it will take them to a website that closely resembles a website from the actual website. Once the victim inputs their current credentials, the website will log that information and any “changes” the victim made really did not happen. The crook then logs into the actual website and changes the password to something the victim won’t be able to figure out. Now the victim is locked out of their account. The crook may decide to place a “ransom” on the account (the victim needs to pay so much for the crook to unlock the account and give it back) or the thieves just take all the money out of the account.(2)

 

How can you protect yourself?

As mentioned before, there can be several ways to protect yourself from a phishing scam. Verify with the actual company, verify the proper URL is being used, and make sure your spam filter in your email is turned on. The spam filter isn’t always 100% accurate as it could place a legitimate email into the spam folder. It is always good practice to change your password as well every so often.

You should always be on the look out with any form of Phishing as emails are not the only way thieves try to steal your information. As technology grows, so do the ways of scams like this grow. If you get an unsolicited text on your phone, don’t click the link.

Never do anything online, such as banking, wire transfers, company communications, etc. while on a public Wi-Fi network as some phishing thieves create hotspots with software that can see what you are doing online.

Have a good virus protection on your computer. This can prevent viruses from affecting your computer if you accidentally click on an attachment. Always be mindful of what you are doing and where you are going online as well. Always verify your URL that you are typing, because even one small mistake could take you to an unsafe website.

Although it may be easier for you to remember one password over a number of them, especially if you have multiple accounts with multiple types of businesses, never use the same password, or similar password for different accounts. Use a combination of letters, numbers, and special characters (if it is allowed). Make the password at least 8-16 characters in length.

 

“The length and duration of the pandemic has allowed hackers an extended opportunity to hone and craft their domains. The language used in these malicious domain names is highly reflective of current trends, and key events like travel bans introduced globally have a direct impact on how hackers create resources to trick people.”(4)
-Nick Emanuel, senior director of product at Webroot

How to spot a phishing scam

Let’s say you received an email from a “company” you deal with, in this instance, AT&T. your spam folder didn’t pick it up, so you assume it could be legit. The first thing you should always do when you receive an email is to look at who sent it to you. As you can see in the above image, the from has a legit sounding name, but the actual email address looks like gibberish and not official. The next thing you want to do is to look at the spelling and grammar of the context. If there are quite a few spelling errors or grammatical mistakes, you will want to delete the email right away. Another thing to look out for is what is the email asking for. If an email from a reputable business is asking for you to sign-in with a password or to verify a password, delete the email immediately. No company is ever going to ask you for your information, that company already has all that information and won’t need to ask you for it. If there are attachments in the email, DO NOT OPEN THEM!!! This can activate a ransomware attack on your computer, or a virus. If there is a link, DO NOT CLICK IT!!! Instead, hover your mouse over the link. Secure websites with a valid Secure Socket Layer (SSL) certificate begin with “https”. If the website does not go to an “https”, then delete the email. One more thing you could do is if you receive an email from, let’s say your bank, go to that website in a different browser or device. Usually, that company will send you a notification (internal communication) if something needs to be changed or updated. If you are still unsure, Call the company and ask if the email is legit or if you need to make changes to your account. Regardless of what you do, it is always best to login to a secure site and change your password.

 

The  Microsoft-themed phishing attack uncovered in March of 2021 targeted senior-level employees “attack is notable for its targeted aim at senior business leaders with titles such as Vice President and Managing Director who are likely to have a higher degree of access to sensitive company data.” (3)
-ThreatLabZ, the Zscaler threat research team

 

How can you tell the website is secure?

Besides the “https” in the website URL, you can look for the lock. This will show you visually that it is secure.

Another way to ensure safe browsing is to have your settings on your search engine set to a safe protection level. This will warn you if you might be heading to a suspicious website.

 

What can you do if you are compromised?

The main thing you can do if you ever feel like you may have been compromised is first and foremost, stay calm. Secondly, contact the business and inform them that your information may have been stolen. Have them put a fraud alert on your account, cancel any credit/debit cards and have your bank reissue  you new ones. If it is something of the nature like Netflix, change your password, when it asks you to log out of all devices, click yes. This will force any device that shared that username and password to re-enter the password. Set up Two Factor Authentication, this means you must enter a code that may be text to you, emailed, etc. prior to continuing onto the website. If you ever get a text or email asking for this code, delete it or report it as you are the only one required to know that.

 

Conclusion

While researching, I’ve learned that despite all my vigilance, I am still vulnerable in a few areas, such as some of my passwords are the same (which I promptly changed, of course). So, no matter how careful we are, there are always those “cracks” that thieves will attempt to gain access to your information.

With all the ways someone can get scammed, Phishing can easily be avoided as long as you stay vigilant. Never give out your information without verification and always ensure that the individuals you are communicating with are legit. Remember, Banks and other companies will NEVER ask you for your information or to verify anything regarding your passwords or account information. Two factor authentication can be your best friend. It will help prevent others from accessing your account. Don’t use the same password for multiple different accounts, if a thief can figure out one, they will attempt to login to another account with that same information.

If an email looks too good to be true, it usually is. If you have a bad feeling about an email, trust your gut. If you receive an email from someone claiming to be a company you deal with but there are multiple spelling or grammatical mistakes, chances are it is not from your company. If the link they are asking you to use is not protected with a Lock or ‘https’, it is usually a fake link. NEVER EVER click on an attachment from any email you are not expecting or know.

Be Cyber Savvy and avoid Phishing.(1)

 

 

References

(1)  Phishing.org: https://www.phishing.org/what-is-phishing

(2)  soscanhelp.com: https://www.soscanhelp.com/blog/top-phishing-scams-of-2021

(3)    zscaler.com: https://www.zscaler.com/blogs/security-research/microsoft-themed-phishing-attack-targets-executives-using-fake-google

(4)      infosecurity-magazine.com: https://www.infosecurity-magazine.com/news/cyber-criminals-travel-covid-launch/