The idea of the con man is not a new one. Since antiquity, con men have sought to exploit others by masquerading as someone else for personal gain. In Homer’s The Iliad, the Trojan War ended its ten-year stalemate when a small group of Greeks were brought into the walls of Troy by fooling them with the Trojan Horse, which led its destruction. Where ten years of bitter war failed, a simple con succeeded in one night.
The same concept holds true in today’s digital age. Today’s con men convince their victims into giving up sensitive information such as passwords, bank account numbers, credit card numbers, and social security numbers, as well as open malicious programs in order to infect their computers. All this is done by simply asking them to via a social engineering technique known as phishing.
Phishing is an email scam in which the bad guys attempt to steal sensitive information by disguising themselves as legitimate sources such as your bank, your Internet service provider, or an online service provider that you use (Dropbox, Facebook, etc), and convince you to either give up sensitive information, or to trick you to go to a website that can infect your computer.
What to look out for
Knowledge is power! If you learn to spot a phishing email when it arrives, you will be less likely to fall for their convincing message. Here are a few tell-tale signs of a phishing scam. Consider the below example and the highlighted aspects:
Most run of the mill phishing scams will not address a victim by name (although some do, more on this later). This is because the same message is being sent to millions of people hoping one of them falls for it. A legitimate financial institution email should address you by name.
A common aspect of phishing emails is to instill fear of account shutdown (or other punitive measures) if the victim does not respond immediately. In effect, they’re scaring their victims to act before they think.
Link to fake page
You’ll notice the "click here" link in the above email. Clicking it will take the victim to a page made to look like Wells Fargo’s website, but is not. Fearing their bank account getting shut down, the victim is tricked into clicking the link and verifying their banking credentials in order to prevent shutdown. However, the bad guys now have this person’s banking information and can access their account (most likely to drain it).
Another note on links. Even if a link looks legitimate, it can still be fake. Look at the below example:
The link appears to be for https://woodgrovebank.com. However if you hover over the link without clicking on it, you can see that the real link is to an unknown destination. It is very easy to create a fake link. For example, if you click on this link ---> http://www.google.com, it appears that it should go to Google, however it actually took you to Facebook. In the same manner, convincing web links in an email can be easily faked to go to a scam website instead.
Most scammers are from outside the United States, and don’t speak English as their first language. Many (though not all) phishing emails will have obvious grammar or spelling mistakes in the text of the email. See below for an example.
Convincing images from well known sites
A phishing email posing will often use similar graphics as their site, giving the fake site a further appearance of legitimacy. Look at the below example. The email appears to be from Bank of America due to the graphics used on the page, even though it is not from them.
What to do if you suspect an email is a phishing attempt?
First, what not to do: If you suspect an email is a phishing attempt, do not click any links inside.
Do not reply back to the email, and especially do not give any sensitive information via the email (the classic Nigerian prince scam is a good example).
Do not download any attachments in the email. It might be a virus or other type of malware.
If an email looks like it comes from an institution that you use, go to that organization's’ website to log into your account, NOT via any links in the email. If you suspect that you may have a legitimate account issue, contact your organization’s support via channels that are listed on their website. Scammers want you to click on links in the emails they send you to take you to fake sites.
What if I fell for it?
If you suspect that you may have fallen for a phishing email, the next few moments are critical:
If you were tricked into giving your login information for an online account, go change the password immediately!
For the compromised account, change the password for any other online account you have that uses the same password, also immediately!
If you think a work account may be compromised, alert your IT security representative so they can be on the lookout for unauthorized access to your account.
Perform a virus scan on your PC in case malicious software may have been remotely installed onto your PC.
Scammers will be trying to access your account as soon as you give out credentials, so you have a very small window to change the password and prevent unauthorized access.
The above tips will help protect you from the generic run of the mill phishing scheme. But what about ones that are targeted just for you, and much more convincing? We'll cover that in a future article. Stay tuned.