How to NOT Get Caught Up in a Phishing Attack and Scam
If you have kept up with the news whatsoever you probably heard about the spear-phishing attack that struck the Federal Government's Oak Ridge National Laboratory in Tennessee. Phishing is the act of sending out spam emails and hoping that one person clicks a link in that email that will take the user to a malicious website. Once on that website the users computer is then downloaded with malicious code that generally replicates itself and sends itself out to everyone in your email contacts. The more serious ones like the one at Oak Ridge will actually attack a whole network. Once inside the network, the infection can spread sensitive data to anyone, anywhere.
Spear-phishing is a targeted phishing attack. These are usually conducted against government entities or banking institutions. The attack on Oak Ridge was one of these spear-phishing attacks. No one knows where it came from but they do know how it got there. Someone clicked on a malicious website. Actually 57 clicked on it, out of the 530 people that received the email. Out of those 53, two machines got infected.
What can you do to prevent phishing attacks and scams? Knowledge is the best policy and here is some knowledge.
These scams find ways to get you to a page that looks like the login to a financial institution or other site where knowing your credentials can benefit them in some way. Many times the "hook" comes in the form of an e-mail that appears to be from a trusted source. Also in the e-mail is a call to click a link to go to a site that is made to look like the one you know.
Another common phishing scheme, especially on social networks, is to take advantage of messaging systems built into the products. The messages may even come from trusted friends, who have themselves fallen pray to the scam.
Once you are on the phishing site, if you type your login information, it will be sent to the bad guys, even though it looks just like a site you trust.
Your bank just sent you an e-mail. You open it up and the bank claims to have found an error in your favor. "Click here" to claim the money which is rightfully yours! The old saying still has resonance in this connected age. If it sounds too good to be true, it probably is.
Your friend may be touting a get-rich-quick scheme. Even if this friend usually shares completely reliable information, be wary. Your friend may have fallen victim to a scam himself. If you have his phone number, pick up the phone and get to the bottom of it. He may appreciate you alerting him to the scam.
Since we've all become fairly resistant to this "too good" scam, many phishers use the opposite approach. If it sounds too bad to be true, such as an unexpected large payment from your account being processed by your bank, watch out. The scammers are preying on your desire to fix the problem immediately.
The same goes for unexpected payments or charges with online wallet services like Paypal. When it comes to your money, especially, you can't be too skeptical. Read on for other ways to identify whether there's a scammer on the other end of that login form.
This may get a little techy, but it's something any internet user should learn. The URL (Uniform Resource Locator), which is the web page's full address, is a telling hint toward whether you're being scammed.
Your location bar is usually up at the top of the window you use for web browsing. The text inside starts with http:// or https://. The part that comes immediately after that is the host name, like /wired.com/. Sometimes, instead it has extra words up front, like /howto.wired.com/. That's called a sub-domain.
Whoever owns the main .com (or .net, .org, etc.) can make as many sub-domains as they want. Scammers use a simple trick to include your bank's name in front of their own web site name.
Let's say your bank's website is yourbank.com. A scammer might use yourbank.securebank.com, which looks pretty good. But remember, your bank can own anything ending in .yourbank.com. But whoever owns securebank.com (the scammer in this case) can put anything in front of securebank.com, including the name of your bank.
Using the URL to identify the scam means you have to understand the difference between securebank.yourbank.com and yourbank.securebank.com. If they look the same to you, know that makes you extra vulnerable. Just when you thought it couldn't get worse: often the scammers get really devious and use yourbank.com.securebank.com. The URL begins with your bank's complete web site name, but it's still a scam!
Some browsers identify the main part of the host name by bolding it in the location bar. That can make it easier to figure out whether or not you're looking at the real site. Even with the visual aid, it's still all too easy to misread the text in the location bar.
At this point, you have an inkling you're being phished, yet you also want to know if there really is a deposit waiting for your account. If it sounds too good to be true, and you aren't able to decipher whether it's the real URL, it's time to go straight to the source.
You need to visit your bank, or whichever site this is, directly. Don't click links in e-mails or messages, but preferably type the address of the site you usually use into the location bar. Alternatively, you can search for the name of the bank and click the search result.
Once you are on the site itself, log in there. Doing this will ensure that you are really on the correct website and not sending your credentials to a third party. When you have logged in, look to verify the information you were told in the potential phishing scam. For example, if your bank e-mailed you about a bounced check, wouldn't there be some sign of that on the site itself, too?
If you still aren't sure, you can go old school: Pick up the phone. If the site is a financial institution, there's got to be a way to call them. Remember to get the number from the real site, not from the site you visit by clicking a link.
Following this and other tips in this article should keep you safe from phishing scams. Healthy skepticism and a little technical know-how go a long way to keeping your personal data secure.