By Chris White, Director of Technical Operations, GovDelivery
People in the Midwest love outdoor activities. From hunting season to fishing season to trapping season, there’s always something to do outside. But hackers don’t stick to a calendar. For them, it’s always phishing season.
First, let’s identify what we mean by the phrase phishing and its variations.
- Phishing: Sending email to a group of people that looks like it comes from a legitimate website or organization in hopes that someone will click a link and provide personal information, like an email address and password.
- Spear Phishing: Sending a targeted email to a specific individual that looks like it comes from a legitimate website in hopes that the person will click a link and provide personal information, like a bank account username and password.
- Whaling: The same as Spear Phishing, except that it involves targeting business executives in hopes of a bigger payoff, such as gaining information to access organizational finances.
These aren’t technical attacks, but are known in the industry as social engineering attacks. Instead of trying to hack into your computer to get the information they want, hackers who use social engineering bypass technology controls and instead rely on the weakness of the users to simply provide that information directly. And unlike technical attacks, they’re far more difficult to protect against.
With tax season coming up, one popular form of phishing is to send Internal Revenue Service (IRS) forms to individuals. Attackers craft emails that appear to come from IRS.gov and request unsuspecting victims to fill in attached forms and fax them to a given number. The attack could be targeted (spear phishing) by browsing social media sites like LinkedIn, identifying where you work, and saying something like, “Dear Bob – There is a discrepancy in the amount you entered on line 7 of your 1040A, and what company XYZ reported as your income. In order to avoid any late penalties, please complete the form and fax it to 555-123-4567 by April 1st.” While many people are trained not to click links in suspicious emails; phone calls and faxes are generally not discussed, making this spear phishing attempt more realistic and more likely to succeed.
So how can you protect yourself?
- Keep antivirus up-to-date: This will protect against more than phishing, and is a good first line of defense if the attacker’s goal is to infect your machine with an attachment.
- Always question attachments: Sure, you know not to open a file from a stranger, but you should question it even if the email comes from a trusted source such as a recognizable organization or business. As in the IRS example used above, your best course of action would be to manually visit IRS.gov and to find the form yourself.
- Never click links in emails: If your bank asks you to click a link to change your password, open up your browser and manually type in the URL for your bank and change the password through the site instead of through the link. Better yet, call the number listed on your credit/debit card and ask if the email is legitimate.
- Trust your instincts: If something seems wrong, then it probably is. There’s nothing wrong with picking up the phone and asking if a message is legitimate. Better safe than sorry!
Even tech-savvy, well-informed people can make mistakes and fall for a hoax. If that happens, just remain calm and let people know. If you open a bad attachment, let your IT department know. If you faxed that fake IRS form to the bad guys, inform the IRS as well as your credit card companies. If you clicked the bad link to your bank, change your password by manually visiting your bank’s website and let your bank know immediately.
By remaining vigilant, you’ll reduce the chance of falling prey to a phisher. For more information on how to protect yourself, check out the U.S. Securities and Exchange Commission’s article, “Phishing” Fraud: How to avoid getting fried by phony phisherman.