Can You Smell a Phish?
The latest fad in email scams is spear-phishing: deceptive emails highly targeted and carefully crafted to fool even the best anti-phishing technology. A savvy human being can still spot spear-phish reliably, but it’s getting more difficult as scammers refine their craft. Here’s is a little test you can take to see if you’re smarter than modern phish...
Can You Identify Phishing Scams?
Websense offers a two-minute challenge called Operation Spear Phish in which you review six real-life emails and decided which are phish and which are not. The test even gives you two clues about each email. The timed aspect of the test precludes “cheating” by consulting others or searching online.
One of the phish is obvious: an email from a stranger in Lithuania requesting your help in moving some money. This is the classic Nigerian 419 spam; few geeks fall for it these days, but occasionally the Internet laughs at a lawyer, banker, or other presumably smart professional who does.
Other phish in the test require a peek at what’s under the surface of an email. Hovering the cursor over a highlighted word that indicates a clickable link will reveal the underlying URL. Clues in a URL can tip you that something is wrong; for instance, if the URL’s domain is some server in a foreign land but the email is supposedly from a U.S. firm. Some servers are infamous as hosts of scammers; if you know the most popular rogue servers, you can spot them in a hidden URL.
Still other spear phish attempts are just a little bit off in their text. “Dear valued customer” is not how Paypal addresses me; it uses my registered first and last names to assure me that an email is really from Paypal. It's also common for to find awkward English phrasing, poor grammar and spelling mistakes in phishing emails.
Getting To Know You
Spear phishing is so called because it is highly targeted, often going after a specific individual rather than a broadly defined group or random population. A scammer may know that you, John Doe, bought a plane ticket to Canberra, Australia, on the 19th of last month. Such details tend to lull readers into believing, “Yeah, no scammer could know that, it must be legit.” But they do know.
How? Probably because you told them and everyone else on Facebook, Twitter, or some other social media site. “I just bought a ticket to Canberra, Woo-Hoo!” Don’t do that; you never know who may be reading. If you get a social media "friendship" request from someone you've never heard of, be on guard. You even have to look carefully at the link before you click.
If you must share your personal business, share it only with real-world friends you can trust. Learn how privacy settings of your social media sites work and adjust them to keep strangers from reading what strangers should not know. Remember that social media sites make more money the more data their users share, so the default privacy settings may not be designed to prevent spear phishing.
Hello, Your Name Is...
Another source of information for spear phishers is the massive data breaches that are happening all too often lately. The recent breaches of security at Target Corp, Neiman Marcus and other retailers affected tens of millions of people, and revealed not just debit and credit card data, as first reported. The hackers also obtained names, mailing addresses, phone numbers and email addresses for many of those customers affected.
So you can imagine how easy it would be for a scammer to craft an email that was addressed to you by name, mentioned some of these personal details, and asked you to click to verify the activity on your credit card. Here's an example:
Internet Explorer, Firefox, and Google Chrome browsers will warn you if the website you're trying to visit is suspected of phishing or known to harbor malware. Your anti-virus software may catch the attack if you do end up on a rogue site. But there's no guarantee that the lists of malicious sites will be 100% up to date, nor can you rely on your anti-virus to catch every variant of newly appearing malware.
To protect yourself against spear phishing, you must pay closer attention to every email even if it's apparently from a trusted source, or a company you regularly deal with. If the email makes an unusual request, such as "verifying" login credentials, it may well be a phish. And remember, the presence of personally identifying details in the email is no guarantee that it is legitimate.
Most browsers and email clients will display the URL of a link if you hover your mouse over it. Look for misspelled URLS that won't take you where they suggest they will. For example, faecbook.com is an entirely different domain from facebook.com. Even better, use a bookmark to reach the site in question, or key in the web address by hand.
Have you or anyone you know been victimized by spear phishing? Post your comment or question below...
This article was posted by Bob Rankin on 30 Jan 2014
|For Fun: Buy Bob a Snickers.
Geekly Update - 29 January 2014
The Top Twenty
Downloading? Watch Out For These Danger Signs
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Can You Smell a Phish? (Posted: 30 Jan 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved