Updated: Feb 25, 2020
You’ve just received an unexpected email that requests you to take an immediate action. It seems authentic. The sender is someone you know or is from a known company or organization. The domain name looks right. The body of the email doesn’t contain any of the spelling or grammatical errors that are generally a telltale sign of a scam email. Should you act on the sender’s request?
No, you should not. You can’t be too careful with what is sent to you and what you see online, whether it’s on your desktop computer, laptop, tablet, or phone, whether it’s an email, a social media message, or a text. Anything online can be compromised, manipulated, or forged to make it appear trustworthy.
Phishing—the fraudulent act of communicating with you online to coax you to hand over critical information or to steal your identity, money, or both—is getting more sophisticated by the day. It is becoming increasingly difficult to tell the difference between legitimate online communications and dangerous scams.
It used to be the case that scam emails gave themselves away with poorly constructed graphics, bad grammar, and/or incorrect spelling. No longer. Cyber criminals are getting better at covering their tracks – they even pay native-language hackers to craft phishing emails with perfect spelling, syntax, and grammar, and produce sharp graphics.
So, what is your best line of defense? An old-fashioned phone call. Call the sender directly. Ask them if they sent the email in question. And, don’t use the contact information provided by the email or any website listed in the email. Open a fresh browser page or another browser entirely and search out the company’s contact information for yourself.
Let’s unpack the threat of phishing and steps that you can take to defend against it.
Be Observant: The Devil is in the Details Getting into the habit of checking over emails can help you flag a potentially dangerous communication. A message that you received out of the blue warrants careful scrutiny. First, check the source of the email. Click on the downward-facing arrow, or “carrot,” and look at the sender’s contact details. If you don't see that, look for a way to view the "internet headers" of the email. The header information will show the "Delivered-To", "Received By", and other important information about the server to server communications during the emails travel through the internet to your computer. Look at the digital signature information in the header detail. Does the sender’s information match the email name and domain of the person who purportedly sent it? Did the email come through a distribution list, eblast, or enewsletter service? Was the email digitally signed by a server? Does the server domain match the domain of the email address?
(If you don’t know how to do the above, ask me.) Also pay attention to encryption. Was the mail delivered using encryption? If so, what kind of encryption was used? Again, contact me if you’d like to see examples and I’ll be happy to send you screen captures.
Be Careful: Don’t Click on Links, Don’t Open Attachments When you receive an unsolicited email, never click on a link, never open an attachment, never play a video, never click on a picture file. Ever. No exceptions. It’s not worth the risk. Even if the email is from someone you know, an unexpected email from that individual should still raise a red flag. Their account might have been compromised. Don’t become part of their digital crisis. Call them and be sure.
Be Wary: Watch Those Uniform Resource Locators Any website listed in a suspect email could be a trap. Click on it and a flood of malicious content could be let loose onto your computer, and penetrate your network. Malicious website URLs may look identical or very close to that of a legitimate site, but may use a slight spelling variation or different domain extension to fool the unwary. Determined crooks will spend money to buy domain names in order to trick you! A real-world example is fraudulent use of Microsoft’s name and intellectual property. A cyber attacker will craft an email and paste in graphics scraped off Microsoft’s own website. The email will be sent from a seemingly valid server, with malicious URLs that look like the real thing: microsoftlivesupport [.] com, microsoftsupport [.] cc, or mssuportchat [.] com, with sub pages that look real. Those URLs are actually malicious: criminals have purchased those domains and the servers hosting the pages deliver malicious content. (please do not put those URL’s together and try them.)
Be on Guard: Don’t Fall for Emotional Come-Ons Be very cautious with emails designed to put pressure on you to take an action. A subject line like: “URGENT: Mailbox Upgrade Required” is a clear giveaway that the sender is trying to lure you and apply pressure, to get you to click on a link to a web page or opening an attachment containing malicious code. The latest con that hackers are using is crafting emails designed to prompt an emotional reaction to a headline about a tragic news event or the latest political news. Don’t be fooled. Delete the message. If you’re curious about the email’s content, open a fresh browser tab/page or another browser entirely and search out the information for yourself.
Be Vigilant: Links to Digital Signage or Cloud Storage Sites Could be Dangerous Lures Messages from someone you may deal with from time to time may contain a link to a digital signage site—e.g. DocuSign—or a cloud storage site—e.g. DropBox. Such messages warrant extra scrutiny. Such links can be weaponized to deliver malicious content into your computer and your network.
Be Alert: Hold on to Your Wallet! Be extra cautious about “requests” to send or spend money. Gift card scams are a common confidence trick that digital swindlers pull on the unwary. Our partner, the Secure Community Network, has reported that many local governments and faith-based organizations, including Jewish institutions, have received emails from individuals claiming to be members of the recipient’s organization or local community. In all the reported incidents, the email begins with a request for a favor. When recipients have responded, the sender claims to be unavailable and requests that the recipient purchase gift cards of specific dollar amounts for a named retailer. Then, the scammer directs the recipient to send, by email, the number and PIN for the gift cards once they have been purchased.
In each incident, the scam email was sent from a Gmail address created to mimic a legitimate organizational email address. All the reported emails contained signature blocks accurate for the institutions they purported to be coming from.
Don’t think that fraudulent schemes that have compromised other organizations can’t endanger yours. There are news articles online that you can look up. Example: Go to the Forward.com and look up “Rabbis are latest clergy targeted in email gift card scam” or “’Rabbi’ gift card scam spurred congregants to spend thousands.” Making a verification phone call would have prevented financial losses, as well as damage to reputations and public embarrassment.
Always verify the legitimacy of a transaction that requires transfer of money. Never send any personally identifiable information such as Social Security numbers, personal mailing or email addresses, and/or phone numbers over email.
Be on Track: Keep Protective Software Up to Date Install and maintain anti-virus and anti-malware software, firewalls, and email filters. Take advantage of any anti-phishing features your email client or web browser may offer. When software and firewall updates are available, install them right away.
Caveat: – don’t rely on software or electronic defenses to protect you. They will filter out some attempts, but not all, and some of scam emails will still land in your inbox. Defending against malicious email is an arms race of sorts – criminal hackers are always inventing or finding new vulnerabilities, or ways to exploit software in order to keep a step ahead of the commonly used protective software defenses.
Be on the Lookout for Cyber Threats in Other Media As of the publishing of this post; the leading form of cyber-attack is the phishing email, but keep in mind there are other attack vectors that criminals use to try coaxing you to click on a dangerous link or download a malicious attachment. Text messages, social media, messaging apps, website comment sections, or information feeds that anyone on the web can contribute to are other types of media that hackers use.
Not all criminal hackers try to get to you via messages. A hacker can call you on the phone using Voice Over Internet Protocol (VOIP) technology, and can replicate any phone number as the number that they are calling from. Generally they will choose a phone number that has the same area code as you, to give you the idea that you are receiving a local call. The technique and method used is called “Social Engineering” and it requires you to be on guard. A criminal works ahead to find out information about you from your website and your social media profiles, they get hold of your phone number, and call you. Like a practiced confidence trickster, they will use that information to gain your trust. Then, they will start asking you for information – looking for details about your job, computers, network, and security systems. Be suspicious about unsolicited callers asking about employees or other internal information. Do not provide personal information or information about your organization, including structure or networks, unless you are certain the person is authorized to have that information. If they claim to be from a legitimate organization, try to verify their identity. Ask for a name, address, and phone number that you can call back. As a double-check, search for their company’s name online, get their main phone number independently, call their reception desk, and check to see if that person works for the company.
Also; malicious actors count on human’s to be humans. They know that people by nature are curious, they are impatient, and they want things “now”. They count on it. They will even purchase domains that are similar in spelling to sites you go to on a regular basis, just in case you were in a hurry and make a mistake in typing. Be careful when you type a URL in to a browser. http://www.ebay.com is a very commonly accessed site, but if you are typing quickly, you might type www.ebya [.] com instead. That misspelled domain name is owned and the site is hosted with malicious code. It would install software on your machine just by accidentally going to that site. You must pay attention.
Summing Up Staying secure from phishing requires constant vigilance. You must acquire the habit of second-guessing anything that lands in your inbox. Watch for red flags, sweat the details, and don’t let complacency creep into management of your life online. The best way to avoid falling victim to an email scam is to use your phone to verify that what you were sent by email, text, or social media message was legitimate.
The strongest firewall you have against online fraud is the one between your ears.
Be the human firewall.
Resources to Learn More KnowBe4 is a company that provides security awareness training to organizations and their staffs. They provide some free tools but charge for others.
YouTube contains many helpful videos that you can watch to learn more about phishing. If you would like links to a few videos, email me and I’ll gladly send them to you.
Be SAFE, and if you have questions, please feel free to ask.
Web links to "Learn More" Articles:
Department of Homeland Security