Happy New Year to everyone! Here’s to a year that (eventually) brings us some semblance of normalcy after these crazy past 2 years! I like to think of myself as a “pragmatic optimist”, and I do indeed expect things will get better this year. (But honestly, how could they not? ) Still, not only is the COVID virus still at play – to put it lightly – but so too are those other kinds of viruses we all worry about. In fact, just today I read about a nasty Omicron-themed phishing attack that is running rampant already this year. Hackers are still hacking, and keeping ourselves safe from computer viruses can’t happen without vigilance on everyone’s part. With that in mind, I put together a sort of “phishing awareness refresher” post today. Be sure to pass this along to anyone you know who may not be as cybersecurity savvy as you.
Signs you are being “phished”
Phishing messages tend to have one or more of the following characteristics:
Emotional ploys: Hackers play to your emotions. They use curiosity, fear and desire to help someone to get you to click a link or provide confidential information.
A sense of urgency: The more you rush to act, the more likely you are to ignore telltale signs of a scam.
Spelling and grammar: Your bank isn’t likely to misspell words in an official notice to you. Hackers, on the other hand…
Suspicious links: Never click on links or download attachments in messages from people you don’t recognize, or whose identity you question.
Requests for confidential information: Never provide sensitive personal information in response to an email. A bank or legitimate retailer or service would never ask you for that type of information in an email.
Spoofed websites: Only provide confidential information on a website if you’re 100% confident that you are on a legitimate site. (In other words, it is best to go directly to a website by typing in the URL yourself, not by clicking on a link in an email.) An aside: Phone numbers are also easy to spoof these days.
Unusual sender address: Check the actual email address (as opposed to just the alias, or name you initially see) in the “from” line of the email. Do this by hovering your cursor over it. Look for a legitimate domain name (e.g., “@bankofamerica.com”). If it doesn’t match up with who it is supposed to be coming from, it’s most likely a phishing message. And be sure to look very closely; hackers have gotten good at establishing phony versions of legitimate domain names by using subtle typos. (For example, the letter “l” might be switched to the number “1”, or the letter “O” to the number “0”.)
Phishing by mobile phone
I wrote a post in late 2020 specifically about phishing via mobile phones (known as “smishing” for SMS/text-based attempts, and “vishing” for attempts made by voicemail). There are two main reasons to bring awareness to mobile phishing: First, people are on their cell phones now more than ever, for both remote work and to stay in touch with friends and family. Second, people can be more easily manipulated over mobile phones. Here’s why:
- Distractions. When we’re on our phones – working or otherwise – not only are we surrounded by outside diversions, but we may also have multiple apps open at the same time. It’s not hard to lose focus, making it easier for those signs of phishing to slip past us.
- Small screen size. This makes it harder to see the headers of emails, where a spoofed address might be detected. It’s also more difficult to view multiple pages without toggling back and forth or hitting links. This creates a greater chance of accidentally clicking on something malicious.
- Reaction-based interface. Mobile graphical user interfaces foster action – accept, reply, send, like, etc. – and are designed to make it easier for users to respond quickly to a request. However, that expediency can lead to a costly mistake if warning signs are missed.
Because of these vulnerabilities inherent to smartphones communication, people need to be extra vigilant when checking and responding to texts, emails, and voicemails on their mobile devices.
What to do with suspicious messages
So you suspect you’ve received a message or text from a hacker or scam artist. Now what? If it’s the subject line that’s making you suspicious, simply do not open it and just delete it right away. If, however, it’s the content of the message that’s making you wary, do not click on anything inside the message. Do not reply to the sender or forward the message to anyone. Simply deleting the message is the easiest/safest step. However, you may want to check with your IT department for guidance on what to do beyond just deleting it. Some organizations have procedures for flagging or reporting suspicious messages.
What to do if you have been successfully phished
First, know that it has happened to even the most cyber-savvy of us! There is no reason to be embarrassed; some of the bad guys have gotten so darn good at what they do. So, if you think you have been successfully phished on your work computer or through your work email, report the incident to your IT department immediately. Not only your private information but that of your organization is in peril. Among other things, they will want to change out all compromised passwords right away. They will likely need to inspect your computer for signs of malware. If the incident happened through your private computer, mobile or email, take the obvious immediate actions: Change all relevant passwords and contact all accounts that may be impacted. If you know that your social security number or financial information was compromised, follow up in the weeks to come with credit agencies.