Yes, I intentionally mis-spelled the word “fishy”, but for a reason!
Today’s topic: Phishing scams, and how you can avoid falling victim.
What is “phishing”? Phishing is a term used to try to get very sensitive information out of someone, one way or another. This is a crude form of social engineering. In most cases, you’ll receive some form of communication, be it Email, Text Message, phone call or even chat/instant message, containing the following:
- Something is wrong with your account and it needs to be “verified”
- Your account has been locked and/or disabled, and that you need to “log in” to restore it (!)
- Your bank account needs to be confirmed (!!)
- A document that requires a login to view (NOTE: Not all of these are fake! If you know the contact that sent the document, call them and ask, don’t reply to the email! I’ll explain why in a moment.)
- Your account was used to make a fraudulent purchase (!!!!)
- An attachment that you were not expecting.
Friends, these messages are purely fake. Their purpose is to trick you into giving up sensitive information, usually in the way of access to sensitive accounts (Bank, email, etc). With updated security measures, such as 2-Factor Authentication, Phishing attacks have also gotten more sophisticated. Some scammers will try to take over your accounts through recovery methods, such as sending you a code. If they DO send you a code, DO NOT GIVE IT TO THEM! Once you give them this code, they’re in, and you’re out of luck.
DID YOU KNOW: Phishing is the number one cause of data breaches on the internet today!
Know the warning signs: Know what to look for if you suspect you may be getting phished, and how to thwart the attempt:
- An email that you recognize the source of, but is marked as SPAM, UNSAFE or DANGEROUS: This is the most common sign. This happens when the email comes in using say, a colleague’s email address, but it originated from an email server outside of the email domain. (It is common for scammers to take advantage of exploited or misconfigured email servers). If in doubt, CALL the colleague and ask them if they sent it, do NOT respond to the email, as it is possible that the colleague’s email account has been compromised.
- Phone calls from what appears to be your carrier, service provider or other company you work with, but the person on the other end is requesting access to your account: This is one of the cheapest scams, and if you fall for it, At best, they just take over that service account. At worst, they’ll use this as a gateway to take over more sensitive accounts. These people use VoIP services that allow them to spoof (fake) the phone number they’re calling from. Often times, they will use the main number for the service. If in doubt, just hang up and call the REAL number. If you got far enough that they are in your service account, you can call the provider and they can help you kick them out.
- Emails with attachments that you’re not expecting: Did “Jan” over in accounting just send you the monthly budget report? You download the attached Excel spreadsheet, and open it. It wants to run Macros, so you let it. OOPS! You just got nailed with ransomware! You now realize that it wasn’t Jan that sent you that attachment, but a hacker pretending to be Jan. If your company email system is set up right, it should be able to catch these and either mark them as external, block access to, or remove the dirty attachment. When in doubt, call the sender and ask if they sent you a file. If they did NOT send anything, delete the email.
- Texts with random 2FA codes or other account recovery methods: This is someone trying to get into your account, and is usually paired with a phone call from a scammer. Unless you are requesting a login code for one of your accounts, Just delete the message. If it comes up in one of your apps, and you did NOT initiate the request, reject it. Allowing it will grant access to whoever is trying to get in. If you DO get this sort of request, Assume your password has been compromised (Think of 2FA as the second line of defense). Go ahead and change your password ASAP.
- Emails/texts/DMs asking you to “confirm” your account: Another weak attempt at accessing your accounts. The only course of action here is to simply delete the message. Many times these will contain a clickable/tappable link that will take you to what LOOKS like a service’s proper log in page, however, when you put your username and password in here…….It’s not getting sent to the service, but rather to a storage server controlled by the attacker. If you have 2FA set up, you shouldn’t have to worry here, but definitely change your password should you get tricked into this.
- Emails/Texts containing password reset requests: An even weaker method of gaining access. Unless YOU requested the reset, just delete and ignore these messages! If you acknowledge them, you’re basically letting an outside attacker into your account. This is like letting someone into your house, only for them to kick you out and change the locks. Once they get in, they will change your password, recovery information AND log out ALL open sessions. Kiss THAT account goodbye!
NOTE: No service provider, carrier or other company is EVER going to ask you for your login information or to “confirm” your account. They can usually access your account from their internal systems. Bear in mind though, they MAY ask you for a code to confirm you’re the account holder (If you have that security layer set up), which in this case, is fine to give, but be sure you have called your company’s actual customer service!
Okay, now that you know about some of the basics of phishing, and how to avoid getting hooked, Let’s test out that new found knowledge, shall we?