Phishing is a common hacking scam that usually involves spoofing an email or a website of a trusted source such as PayPal, a large bank, your CEO, or even the FBI, CIA, or Department of Homeland Security, to name a few. The goal of phishing is to trick users into sharing confidential or personal information, which can then be used to steal more data or for fraud, such as identity theft.
To be savvy against these tactics, you need security awareness training in your company. For starters, here are phishing red flags to help your employees and users stay safe.
Dire warnings
You receive an email strongly urging you to take action immediately or else something terrible will happen to you, like asset seizure, account lockout, or even arrest. Don’t panic. No matter what the email warns, banks or PayPal don’t resort to sending “doom and gloom” emails. Typically, when a bank spots a suspicious transaction, they decline it and have their fraud prevention team give you a call. PayPal, on the other hand, may freeze the account. In any case, respectable companies will not send these emails. They will inform stakeholders through their accounts or via a telephone call that can be verified.
Attachments
Banks, PayPal, and the FBI will never send you an attachment to fill out nor ask for personal details. Important documents are usually still sent via snail mail or to your official account. A legitimate email will inform you to read an important message by logging in to your account on the sender’s official website. For the latter, don’t click on any links in the email, and type in the official URL in a new tab to log in.
Links
If an email contains a link, you can check its authenticity by hovering (but not clicking) your mouse cursor over it. A pop-up will appear and reveal where the link goes. Pay attention to the URL revealed. It could be obfuscated by sites like bit.ly. A legitimate business or institution will have no reason to hide a destination URL in this way. Other signs of shady URLs include a string of special characters such as < > # % { } | ^ [ ] and clever variations of a seemingly legitimate URL such as paypal.xpertsecurity.com.
Spoofed sub-domains
Spoofed sub-domains are often for scammer-created websites that look exactly like the homepage of a trusted company. They cannot, however, use that company’s URL, so instead, they register a domain such as xpertsecurity.com or scammer.com. They can then register a sub-domain such as paypal.xpertsecurity.com or paypal.scammer.com for their website imitation. Using that site, they can trick users into giving personal information such as login credentials.
The green padlock
Aside from checking a site’s URL, check for a security certificate and the validity of this certificate. A green padlock icon is the quickest way. This will be located beside the URL on the address bar of your browser. This shows that the URL on the address bar matches the URL embedded in the security certificate and that the security certificate is authentic. Be suspicious if a site pops up looking like one you regularly visit, prompting you to log in, but not displaying the green padlock.
Dear sir/madam
Any company that has you in their database or a bank you have an account with will not send an email by greeting you as “Dear Valued Customer” or “Dear Sir or Madam” or even “Dear Account Holder” in an email. They will address you directly by name.
Bad grammar
If you spot any grammar mistakes and typos, the email most likely didn’t come from the company it claims to be from. Legitimate companies, especially trusted names, hire professional writers and editors to create content with nearly impeccable English.
Email headers
These are records of where an email came from, where they were sent to, and what address to use for replies. It may be easy to make an email look like it came from a legitimate source, but It is difficult it to hide the actual email address it truly came from. Check the email header by hovering the mouse cursor over the name of the sender. You can then check if the email address is legitimate or shady, such as a spoofed sub-domain.
Virus troubles
There are no websites that have the ability to scan your computer for viruses. These pages are most likely the source of a phishing scam or a viral attack themselves. Viruses are capable of so much more than a mere webpage can detect. Checking your computer for areas of infection takes time and resources beyond what a webpage can dish out.
The FBI
A pop-up from the FBI or a similar law enforcement authority warns you of your illegal activity. For starters, the FBI doesn’t use pop-ups to warn and even fine criminals. They may certainly shut down illegal sites, such as those engaged in piracy. But they cannot fine or apprehend people for visiting these sites. The FBI can gather evidence, build a case, and seek a warrant of arrest, but only a judge has the authority to issue a fine or a warrant.
A large number of information security attacks are caused by negligence. Human error has been found to be a persistent cause of the majority of data breaches. Don’t be one of the casualties. Partner with a managed services provider that can help you protect your network and data with security measures that include security awareness training and proactive maintenance and monitoring. Contact Spectrumwise today.
