Phishing attempts, two words I hear far too often. I used to think it was truly amazing that people fell for these silly things. After reading more about them, and hearing of some of the clever ones I thought this was a topic worth visiting because like everything in this world phishing attempts are improving.
I used to believe that phishing attempts were limited to fake emails, bogus websites, and things that were easy to spot. If I received an email claiming to be the Bank of America, a bank I don’t use, that read something like; “enter your account information here our databases were lost in a flood” then my next steps would be something like the following:
- First and foremost I’d probably roll my eyes
- Then I would wonder what fool could possibly think that would work
- Maybe throw in a chuckle or two
- And finally continue my day with no damage done and a slightly increased trash folder
But alas these were the phishing attempts of old. Now they’re clever, and after reading a few examples of some of the more clever ones I’m a little concerned. I’ll give you an example so we can all worry together. Let’s say you’ve come across an old snow blower, a situation I’ve found myself in recently, that doesn’t run. I like to think I know a few things about motors and I love a nice challenge so I think to myself, “I’ll find the manual and fix it up myself”. So I do what anyone would and I go to the company website to search for the manual. Unfortunately they don’t have it as this snow blower predates the dinosaurs themselves. Logic dictates that I now go to onto Google and search for the manual, download the PDF from a third party website and continue on my way.
This is where the some of the clever phishing attempts hide. PDF’s are just documents; they couldn’t possibly do anything bad right? Well ladies and gentlemen, it seems they can. PDF files can contain executable code, meaning the downloaded file may actually be an .exe file masquerading as a PDF. It’s possible that it could destroy your hard drive, gather up email contacts, credit card numbers, files, bank account passwords, internet histories, etc. and send them to someone hiding in a dark corner half way across the world. All I wanted was to fix up a motorized relic, but now I need to change all my passwords and bury my head in the sand. Thankfully that won’t be necessary since the PDF file was just the manual posted by some kind and gentle human being who shared my passion for small engines.
Now before you get out your tinfoil hats (which actually amplify radio waves going through your skull, fun fact) there are a few rules I have for you to keep you safe from these phishing attacks.
- Apply common sense – In all the research I did on the topic not a single website explicitly stated this, but they all meant it. If something seems suspicious to you, it probably is. Don’t click on anything, don’t give away any personal information to anyone, don’t download anything and please, please, PLEASE don’t give away financial information.
- Don’t give away financial information – Oh wow, will you look at that, wasn’t that a convenient intro. Seriously though I don’t think this can be said enough. If you’re not logging onto online banking or shopping through a reputable online shopper don’t enter your financial information. And if you’re not sure refer to rule number 1, apply common sense regularly.
- Check bank details regularly – Okay no one’s perfect, or maybe the phishing attempt was unbelievable well done and you had absolutely no idea you walked into it. Or you forgot the first two rules. Whatever the case you need to catch this if it happens and checking your bank details and statements is the best way to do this. If something seems wrong, like your VISA bill is 500 dollars too much, it probably is. Apply rule 1 and save yourself some pain. With those three out of the way let’s dive into some more technological based rules.
- Update and be careful with technology – This is all you need to do. I placed the following in order of most to least important. Different sources will place different importance on some factors if they are, for example, trying to sell you Anti-Virus software.
- Do not click on hyperlinks in e-mails – Only bad things can happen really, especially if it’s from an unknown source. Apply rule 1 generously here.
- Verify https (SSL) – Whenever you’re entering credit card or bank info the address bar at the top should say “https.//” not “http.//” and it should have a secure lock icon at the bottom right hand corner of your web browser or beside the https.// in the address bar. If you double click the lock it will verify the website’s SSL certificate. Always click the lock.
- Enable your firewall – Decently self-explanatory but it needs to be said.
- Take advantage of anti-spam software – If you don’t receive the phishing emails then how would you fall into their grasps?
- MBSA (Microsoft Baseline Security Analyzer) – Ensures all your patches are up to date which helps protect against exploits in Outlook etc.
- Lastly update your anti-virus – Anti-virus can help, and you may as well keep yours up to date. If you apply the first rule when internet browsing, then you shouldn’t have many problems that this can solve. Symantec has come out and said that AV is dead, and while I disagree it is no longer enough to just have anti-virus. Honestly products like BrowseControl are likely better since they can prevent you or your employees from going to dangerous sites in the first place.
All in all phishing attempts are usually pretty easy to spot but in the past few years they’ve certainly been getting more complex and devious. Falling into phishing attempts can be very easy, and sometimes almost unavoidable. However if you follow those rules you should be able to avoid most if not all phishing attempts.
Lastly, I will answer the question all of you must have been wondering this whole time. Yes, I did get the snow blower running beautifully, and yes it was given a sweet paint job.
By: Michael Kachaniwsky