Protect Yourself From Cyber Criminals
Viruses, malware, ransomware, and data breaches—in today’s increasingly tech-saturated environment, it’s no longer a question of “if” but “when.” And when it comes to your personal, private, and financial information, you want to do everything you can to stay informed and stay secure.
Cyber Security Basics
Social engineering is the art of manipulating and deceiving a person in order to gain control over his or her computer. It’s important to understand what social engineering tactics hackers use (and more importantly, how to protect yourself against them) because they pose an enormous risk to everyone using the Internet today. So here we’ll focus on online/email tactics, like “phishing” and “spoofing,” because with cyber attacks rising dramatically in society’s increasingly tech-saturated environment, data breaches are no longer a question of “if” but “when.”
What is “phishing”?
Phishing is a common social engineering tactic in which the hacker targets a user and sends him or her a counterfeit email that appears to be coming from a legitimate organization or acquaintance. The email urges the user to take a specific action, such as clicking a link or downloading attachments. Once the user takes this action, the hacker is able to access the machine, seize personal and financial information, and effectively compromise all data within.
What is “spoofing”?
Often going hand-in-hand with phishing, “spoofing” is a common social engineering tactic among hackers in which the hacker manipulates the “sender” or (“from”) email address. Hackers can make the sender’s email address appear as whatever they want. They can spoof your boss’s email address, your mother’s email address, or they create their own appearing to be coming from a company you trust, like “support@yourbank.com” or “ITdept@walmart.com.”
Phishing Scam Example
A classic example of phishing is the tech support scam, and it comes in many varieties and levels of sophistication.
When online services providers detect unusual activity about their users’ accounts, they have adopted the practice, in recent years, of notifying the user to verify that the activity was made by the account holder. Not surprisingly, hackers have used this trend to their advantage–creating nearly identical replicas of these types of emails and sending people dangerous links appearing to be coming from a reputable company the recipient knows and trusts.
The message urges you to perform an action (type your username and password, click a link, etc), alleging that it’s for your own “safety and security.” Many of the emails are designed poorly with bad grammar, etc., but others look legitimate enough for someone to click if they aren’t paying close attention.
Reply-to: amazonupdates@amazon-secure-web.com
Subject: Status alert: your account has been used fraudulently without your permission!
Amazon.com
Account ID: 008541595
We have reason to believe that your account has been used fraudulently without your permission. In addition, any unauthorized activity, such as buying or selling, has been canceled and any associated fees have been credited to your account. Any listings that we removed are included toward the end of this email. We assure you that your financial information is securely stored on a server that cannot be seen by anyone.
To secure your account, you need to update your payment informations and other stored information on your account is correct.
For detailed instructions, please click the link below:
(Click for more information)
This fake Amazon security notice warns potential marks of “unusual log in activity” on their accounts, and prompts them to click an unsafe link. Clicking can download harmful malware / ransomware automatically to your machine and / or grant remote access to the cyber criminal unbeknownst to you.
Phishing Attempt Warning Signs
When it comes to identifying a phishing attempt, there are a few key areas that can implicate a potential threat. Ask yourself these questions when you receive an email that seems out of the ordinary.
Am I expecting an email from this sender?
Or does this correspondence strike me as suspicious, unprompted, and out of the blue?
Does this email sound like the sender?
If the sender is someone you know (i.e., a friend or colleague), does it sound like him/her? Is this how they normally talk/write? Is it riddled with typos? If so, is that typical of the sender?
Is the subject matter characteristic of the sender?
For instance, if the email appears to be coming from your brother and asks you to wire him money but not to call him, is this characteristic of him or does it seem unusual?
Similarly, does the content/subject matter make sense?
For instance, if the email is an order confirmation from “Amazon,” did you order anything from Amazon recently or does this seem wrong or out of place?
Do you normally receive these types of emails from this account?
For instance, this appears to be your bank statement, but it’s going to your work email instead of the personal email listed on your account?
Does the email urge you to take immediate action?
Is the email trying to force you to take a certain action by using terms like “ASAP,” “urgent,” “immediate,” “right now,”? I.e. You “must” change your password “right away.”
When hovering over the links in the email, do they appear to be legitimate?
Place your cursor over one of the links (but DO NOT click it). The URL/website that the link will direct you to will be displayed next to your cursor. Does it match the website it says it will take you to?
How to Handle a Phishing Email
First things first, trust your instincts. If there is any question as to the legitimacy or intent of the email, DO NOT click any of its links, download any attachments, respond to the sender, or in any way interact with it.
Instead, you should:
- Determine its legitimacy. Contact the sender directly via phone call or in person and ask whether they sent the email.
- Then, without clicking its contents, forward the email to your company’s IT department.
- The IT department can then:
- Investigate the matter further
- Help you determine whether or not the message is safe
- Block future messages from the sender
- Warn others within the company, as colleagues may have been targeted as well
- Educate other users on the dangers of phishing and social engineering
- Potentially identify the sender and pursue punitive measures accordingly
Can you spot the red flags?
Now that you know some of the red flags that often indicate the presence of a potential threat, see if you can spot them all in the email below.
From: Amazon ‹amazonorders@amazonpurchase.com›
Reply-to: Amazon ‹amazonorders@amazonpurchase.com›
Subject: Refund Processed for Your Order #110-900-9888-7533015
We have processed your refund of $210.99 for your Order 110-900-9888-7533015 from Smith Supply Inc.
To review your order details and refund status, click here.
You can verify the refund for this order by clicking on the Verify Refund button below:
– Verify Refund-
After verification, the refund should appear on your account within 24 hours if issued to a credit card.
Refunds issued to a bank account typically take 7-10 days to reflect on the account balance.
Thank you for shopping with us.
Getting too much email from Amazon ‹account-updates@amazon-com.com› You can unsubscribe.
Below, we’ve identified a number of key areas that should’ve aroused your suspicion and are often good indicators of a potential threat.
From: Amazon ‹amazonorders@amazonpurchase.com›
Red Flag: Suspicious sender email address
Reply-to: Amazon ‹amazonorders@amazonpurchase.com›
Red Flag: Suspicious reply-to email address
Subject: Refund Processed for Your Order #110-900-9888-7533015
Red Flag: Did you recently order and then return something from Amazon? Or does this strike you as unusual, unprompted, and out of the blue?
Red Flag: Are you expecting an email from this sender?
We have processed your refund of $210.99 for your Order 110-900-9888-7533015 from Smith Supply Inc.
Red Flag: Does this purchase even sound familiar? Consider the price, timing, vendor, etc.
To review your order details and refund status, click here.
Red Flag: Hovering over link reveals suspicious URL.
You can verify the refund for this order by clicking on the Verify Refund button below:
Red Flag: Do you normally have to verify funds with Amazon?
– Verify Refund-
Red Flag: Hovering over link reveals suspicious URL.
After verification, the refund should appear on your acount within 24 hours if issued to a credit card.
Red Flag: Typo
Refunds issued to a bank account typically take 7-10 days to reflect on the account balance.
Thank you for shopping with us.
Getting too much email from Amazon ‹account-updates@amazon-com.com›
Red Flag: Another suspicious email.
You can unsubscribe.
Red Flag: Hovering over link reveals suspicious URL.