Posts Tagged ''
Don’t Be A Phish
The IRS published a bulletin this week warning us all to not fall victim to fake “phishing” emails claiming to be from the IRS and requesting personal information. But, like most announcements of this nature, they didn’t go far enough into explaining how to identify these fake emails. Identity theft, and/or attempted identity theft via spoofed email or websites has become a HUGE problem in today’s increasingly digital society. So, our IT guy volunteered to provide some brief education for you.
Why the heck is it called “phishing”?
Obviously, it’s a play on “fishing”, but why the phunny spelling? The answer actually dates back to the early 70′s when the term “phreaking” was coined in reference to “phone freaks”, the tech-savvy adventurers and theives who were hacking into the phone system. This subculture eventually became “computer hackers”, and when they started attacking email and trying to collect personal info, the term “phishing” was born!
There’s also a really good alternative music band called Phish. This has nothing to do with them!
What are their methods?
Unfortunately, their methods change as quickly as we come up with ways to hinder them. But, if you approach EVERY email in your inbox and every link in an untrusted email or website as a THREAT, you’ll go a long way towards keeping your personal information safe. Rest assured, “the enemy” knows you. More than you might expect. You can get an email that is addresses you by name that appears to be from someone you know at first glance. Or you can get an email that appears to be from a government agency, financial institution or other business… and they can be very convincing fakes! But, you can still protect yourself by being skeptical and applying a little logic.
How did they get your name and your friend’s name and connect them together? Someone, somewhere was careless and got their computer infected with malware that is either emailing directly from their computer using their contacts, or has sent their contacts list back to the phisher. This doesn’t have to be YOUR mistake! It could be the friend or business that the email appears to be from that got hacked. Or, it could be a mutual acquaintance that has both of your names and email addresses. The point is… it happens. Just because an email is addressed specifically to YOU by name is no indication that it is legitimate.
What if I open a phishing email?
Generally, merely opening and reading an email is harmless. However, formatted emails that include linked ads could include malicious scripts that could infect your computer with malware or a virus. Be sure to protect your computer from this sort of attack with a virus scanner that includes real-time malware/phishing protection and keep it current! With good virus/malware protection in place, the risk of reading an email is extremely low.
But, don’t get carried away! There’s a difference between “reading” and “clicking”. Most of the danger of these phishing emails lies in getting you to believe that they are legitimate emails, and getting you to either reply to the email with sensitive information, or to click a link to a website that will either ask for such information, or again try to install some sort of malware onto your computer. Don’t click ANYTHING that you’re not sure of, and don’t REPLY to anything that you’re not sure of. And, of course, never, EVER open an attached file unless you specifically requested it and you trust the sender.
How can you identify fraudulent email?
There are sneaky ways around some of these, which you can only block by adopting a strict “trust no one” policy. But, most “phishing” email is pretty straightforward and low-tech. Start by looking at the email address. If the email claims to be from your buddy Joe and you know his email address is “firstname.lastname@example.org”… but the email address this email is from is “email@example.com”… you don’t need to look any further, it’s fake!
If you can’t tell by the email address (and we’ll get more into what to look for), look at the links in the email. Don’t CLICK them, just look at them. Be aware that HTML allows us to mask a link with any text of our choosing, so just because it LOOKS like a valid link at a glance doesn’t mean that it is. To see the real link (in most cases), simply hover your mouse pointer over the link and depending on what you’re reading mail with, the address will appear somewhere (usually either in a status bar at the bottom of the screen, or in a bubble next to your mouse pointer). Learn to do this and get in the habit of doing it. KNOW where that links takes you before you click it.
Fake email addresses and links will quickly identify 95% of all phishing emails that you’ll get. They’re painfully obvious if you just take 10 seconds to look. But, as mentioned in the opening paragraph, even I still haven’t sufficiently told you how to identify a faked email or website address!
How to verify real addresses
The reason this is so rarely explained well is that IT professionals and other web-savvy people know all this stuff. It’s very basic and second nature to us, so we don’t think to explain it any more than you’d think to tell someone to sharpen a pencil before they try to write with it. But, in this age, there are no “qualifications” for getting on the Internet. In fact, everyone is just “expected” to be online… but not everyone has had the benefit of any sort of formal training. And with software being designed to be so easy to use, you don’t really NEED to know much… until you’re trying to verify legitimate addresses to avoid being a phish!
So, let’s examine both website addresses (they are also called URL’s or “universal resource locators”) and email addresses and get familiar with their parts. Both email and website addresses share the same major component, the domain name. We’ll start there.
A domain name in its simplest form is something like “google.com”. It’s an alphanumeric identifier (can’t begin with a number, but can include numbers) followed by a dot and a “top level domain” (TLD) identifier, such as “.com” or “.net”. With a few exceptions (such as “.mil”, “.gov”, and “.edu” and certain country-specific TLD’s), anybody can buy any domain name that another entity does not already own. This is one of the simplest ways that a domain can be “spoofed” to the untrained eye. The fake address could be something like “google.co” rather than “google.com”. We don’t see “.co” much in the US, but it’s the TLD assigned to the country of Colombia. Perfectly valid domain name… but if Google were to send legitimate email to a customer in the US, it would come from “google.com”! So, a domain name that has “google” (or whatever you’re dealing with) in it is not enough. You need to look at the TLD and see that it is legitimate.
You also need to understand that in addition to the base “domain name” and the “top level domain”, a domain can have any number of “sub-domains”, the additional identifiers to the left of the domain name. And that’s fine, you could get an email from something like “mail32.google.com” or be sent to “maps.google.com” and that would be legitimate. The main domain is “google.com”, and nobody can fake a subdomain against that. What you need to watch out for are surreptitious subdomains that are NOT related to the correct root domain. If the address was “google.xxx.com”, then it would be a subdomain of “xxx.com”, which is obviously NOT “google.com”. Don’t forget that there is no limit to how many subdomain levels there can be. So, they can get sneaky and give you something like “google.com.stealyoidentity.net”… which would give you “google.com” at a glance, but if you read the whole thing, you see that the root domain is again NOT “google.com”.
Phishers get REALLY sneaky with this sort of thing. They may have a domain name of “paymentprocessing.com” and put “chase” in front of it as a subdomain. The unsuspecting phish might think “chase.paymentprocessing.com” was a legitimate domain for Chase credit card services… but you’re now wise to that, aren’t you? You know that’s not correct, but that something like “paymentprocessing.chase.com” would be.
The remaining parts of a website address or URL are the “protocol”, which is at the very beginning and will normally be “http” (for a standard web page) or “https” (for a secure web page). That is followed by some standard punctuation, a colon and two backslashes. Between there and the next backslash (if present) is the domain name (including TLD and subdomains). And after that is a folder path and filename, which you don’t need to concern yourself with. (they can be simple and logical… or long and complex, and either can be legitimate)
A couple more things
The “from” address on an email is very easy to spoof. You could do this yourself with Outlook or whatever you’re using to manage your mail. Same with the “reply to” address. You could send an email “from” anyone, “to” anyone, with a “reply to” anyone. But, if you think about what a phishing email is trying to do… they may spoof the from address to make you think they’re someone else, but if they want to receive your reply, they’re going to put THEIR email address in the reply-to field. So, if you have any inclination to reply to an email, CHECK the address that you are replying to using what you learned above and a little common sense. Does this reply-to address make sense? Most businesses that have a website will have email addresses that use the same domain name. Smaller businesses sometimes won’t… but if you’re not sure, call them! Or check their website or their business card. Be sure you’re corresponding with who you think you are.
Lastly, the best thing you can do is simply NOT click links in emails. Got an email from your Visa card company telling you to click this link to go check something? Don’t trust it. You know what their website address is. Open a browser and TYPE IT IN. That way you know without question (assuming you have good virus and malware protection and your browser hasn’t been hijacked) exactly what website you’re going to and who is on the receiving end of your username, password and other sensitive information.
What if you’ve been “phished”?
If you detected the scam before revealing any personal information, you don’t really need to do anything. Just delete the email and carry on. Resist the urge to reply to it and say nasty things about the sender’s ancestry, all that does is give them confirmation that they at least have a valid email address… which is actually worth money to them. If you really feel the need to take action, if it’s an email spoofed from a friend, you can tell them so that they can scan for problems, and you could broadcast to all of your mutual friends that one of THEM could have a problem. If it’s commercial, find the email address to the fraud department of the business that the email is spoofing and forward it to them so that they can either take action, or at least be aware of what’s going on.
If you’ve managed to fall for a phishing scheme, you need to try to limit your exposure as much as possible. What information did you give them? User name and password for your bank account? Better change that password pronto! And call the bank to let them know that there was a possible breach so that they can flag your account for close scrutiny. Do you use the same password for anything else? (shame on you if you do!) If so, be sure to change those other passwords, too.
If you went beyond that and leaked credit card numbers, you may need to call and have a new card number issued. If you gave away your SSN… you’re just going to have to be on the lookout for fraudulent activity, check your credit report frequently. (you should be checking it annually, anyway)
If all you gave away was contact info, like your address, email address and phone number, that’s not such a big deal, somebody already has that anyway. You’ll probably get a little more junk mail, or spam email, or maybe phone solicitation. You probably won’t notice a difference, since we all get so much of that, anyway.
If this article didn’t sufficiently bore you, you can read:
What the IRS has to say about Suspicious Emails and Identity Theft
The “How Stuff Works” entry on Phishing
FCC’s information about Identity Theft
(BTW, you should not even trust US! Look at each of the links above. Verify them. You should see correct domain names… “irs.gov”, “howstuffworks.com”, “ftc.gov”. You are your own best line of defense! Know what you’re clicking before you click it!)