October is Cyber Security Awareness Month! Week 2
Phishing
by Christina Belfiglio
October 2021
Click here to download and/or print article PDF
Phishing attacks account for more than 80% of reported security incidents. The attacks can come in the form of emails, text messages or chat boxes.
According to Phishing.org, phishing is defined as “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
The information is then used to access important accounts and can result in identity theft and financial loss.”
Phishing can come in many forms and may provide what appears to be a security feature to lure victims into a sense of trust.
Some common features of phishing messages:
- The sender’s email address may be slightly different than a known contact. For example, at first glance you may not notice a difference in the below email addresses. The second address replaces the ‘m’ in company with the letters r and n to make it appear as the letter m.
info@mailer.company.com info@mailer.cornpany.com - Email is addressed to a general audience, for example, “Dear Customer” or “Friend.”
- Poor grammar and/or spelling
- Sense of Urgency
- Links or attachments
Phishing Examples and key indicators
The above example consists of the following phishing email key indicators:
- The sender’s name has no association with the email address. The email address does not list a company name.
- The email has been addressed to “friend” instead of directly to the recipient.
- There is poor grammar throughout the email.
- The email provides a link which does not indicate a company name.
- At no point does the sender indicate the company they are promoting.
In the above example there are several key indicators that this message is a scam. Several are:
- The To email address is not to the actual recipient.
- The From email address is from a gmail account, not a McAfee business account.
- The heading is very general. In a message with such specific account information the email would be addressed to the customer, not “Valued Member.”
- Confusing Message – The email states that the auto renewal “was charged,” is “upcoming,” “will expire today,” and “will be auto renewed.”
- Grammatical Errors – Call and “intimate us,” team will “do the needful to stop”
- Term Discrepancies – It is a 1 year subscription that will renew on 7/30/21 (a day after the email was sent which also causes a sense of urgency) but the last renewal was on 11/18/2018, nearly 3 years ago.
Fraudsters are no longer relying on emails alone for their schemes. Phone calls and text messages are also used to obtain logins, passwords, and other personal information. Typically, the scammer sends a text message to the potential victim asking if they made a specific purchase. If the victim responds, “No,” the scammer calls the victim claiming to be the vendor or financial institution and asks for sensitive information.
How you can protect yourself:
- Install anti-virus software on your computer, phone, and other electronics
- Consider using a password management app. These apps can create strong passwords that are very difficult to guess.
- Never provide personal, account, or financial information over email, phone, or text. If there is an instance where you must provide information, for example, if you question a charge on your account, reach out to the vendor directly.
- Do not click on links in text messages or emails. Go directly to the known website to log in.
What to do if you responded to a phishing message:
- If you think a scammer has your information, like your social security, credit card, or bank account number go to IdentifyTheft.gov. The website provides resources for many scenarios.
- If you clicked on a link or opened an attachment that may be harmful update your computer’s security software, then run a scan.
How to Report Phishing:
- Forward the phishing email to Anti-Phishing Working Group at reportphishing@apwg.org. If you receive a phishing text message, forward it to SPAM (7726).
- Report the phishing attack to the FTC at ReportFraud.ftc.gov.
Sources:
https://www.phishing.org/what-is-phishing
https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
https://www.schwab.com/resource-center/insights/content/beware-next-level-phishing?cmp=em-RBL