Would You Click on This?
Phishing is an attempt to trick you, by impersonating someone you trust. The good news is that far fewer phishing emails are being sent and fewer people are being targeted by information thieves. The bad news matters if you are one of the remaining targets: there are more bad guys gunning for you now and fewer places to hide than ever before. Here's what you need to know…
Phishing Gets Rarer But More Dangerous
In 2013, phishing emails as a percentage of total email traffic fell from 1.12 to 0.5 per cent, claims a new report by Websense Security Labs. So only one in every 200 emails you received was an attempt to make you click on a link that would lead to identity theft, or download a disguised malware package. Call that “better” news, perhaps; it still isn’t good.
Researchers were able to find far fewer sites hosting such malware either intentionally or as a result of being infected by hackers. They conclude that many phishers have given up their “sport” as anti-phishing defenses have achieved 99%-plus effectiveness rates in blocking traditional phishing exploits.
But at the same time, researchers reveal that phishers are employing more sophisticated, difficult-to-detect means of disguising their malicious payloads on websites. The Websense report also shows that advancing technology and economy of scale benefit the crooks as well as the rest of us. The cost of criminal cyberdeeds is declining, due to easily scalable cloud services and cheap rented botnets.
One thing is clear: phishing attacks are becoming more targeted, and so most people are less likely to become victims. Rather than becoming a random victim of a phishing email sent to millions of addresses, it is increasingly likely that one will be mindfully selected by a criminal, stalked and monitored online, and then skillfully duped with information collected by surveillance.
The Most Dangerous Subject Lines?
The new generation of phishing email is carefully crafted to look like your bank’s, not that of some other bank at which you know you have no accounts. Its subject line contains the name of your bank, and the salutation bears your name, not “valued customer.” It may even mention the name of an investment that you actually own if you have mentioned that instrument in an online forum, on Facebook or Twitter, or elsewhere. Isn’t that spooky?
Researchers at Websense identified "Dear
Consider what might happen if you click on a bogus link to online banking, your webmail, a LinkedIn invitation or Facebook friend request. You are directed to a rogue site that looks exactly like Chase Bank, Gmail, LinkedIn or Facebook. You enter your username and password. The site may toss out a vague error message, or redirect you to the real site without you ever knowing. But your login credentials have just been stolen.
The thief can now login to your account, gaining access to your finances, contacts and other personal data. He may even impersonate you or lock you out of the account. And on how many other sites do you use that same username or password? Ooopsie...
Personal wealth is not the only target of phishing attacks, or even the primary one. Business intelligence is more valuable on the black market than the net worth of many people who carry such business intelligence on the mass storage devices of laptops, tablets, and smartphones employed for both business and personal uses. “Personal uses” are another Achilles’ heel that phishers are targeting.
Businesses spend money and effort on securing the channels of communication between themselves. But when employees use Internet-connected devices to interact with non-business site, their employers’ security can be circumvented. Malware can enter via a fantasy sports league site as well as the site of a trusted business partner, and once ensconced on a device that has access to business intelligence, the malware has free rein to work its data-gathering tasks.
What Is the Solution to Phishing?
In their Phishing Research report (http://community.websense.com/blogs/securitylabs/archive/2013/12/11/new-phishing-research-5-most-dangerous-email-subjects-top-10-hosting-countries.aspx), the solutions that Websense proposes to these new threats are problematic. “Real-time web analytics and an up-to-date database of known good and malicious websites, including social networking sites…” sounds like a security geek’s dream, and it is – there are no such things and they are extremely difficult to realize. As soon as one rogue website is detected, two more pop up to take its place.
“Point-of-click threat analysis” means machines closely watching and arbitrarily blocking humans’ actions. “Real-time analysis of data transmission” is exactly what the U. S. government is doing, to the consternation of civil liberties fans. But employers can do it without the inconvenience of the First Amendment. And “Immersive End-User Training” is just as horrible-sounding as the last HR-mandated "sensitivity training" indoctrination you endured.
I believe the best defense is awareness, supplemented by technology. If your browser, email client or anti-malware suite includes anti-phishing capability, use it. But understand that these defenses do not give you license to click anything, anywhere. Start by training yourself to focus on these most common phishing attempts:
- When an email directs you to a website that requires your username, password (or any other sensitive information), DON'T CLICK. Use a bookmark or type in the address to be sure you're going to the right place. A legitimate business will never send email asking you to "verify your login credentials."
- If you get a "friend request" from someone you don't know, DON'T CLICK. You don't need that kind of friend, and you can always login to see if you have any pending requests.
- If a message says your email to so-and-so didn't go through, and offers you a link to find out why, DON'T CLICK. Make sure you really sent such an email. If you did, contact them by other means and verify the address.
- And in general, if an email message urgently directs you to do something, right now, DON'T DO IT!. Picking up the phone and calling your bank or your friend will put your mind at ease, and spare you a world of hurt.
Have you been victimized by a phishing email? Do you think you're immune to such threats? Tell me about it! Post your comment or question below...
This article was posted by Bob Rankin on 16 Dec 2013
|For Fun: Buy Bob a Snickers.|
HOWTO: Boost Cell Phone Battery Life
The Top Twenty
Plausible Denial of Terms of Service?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Would You Click on This? (Posted: 16 Dec 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved