“Phishing” is tricking users, usually by email, into providing personal data for malicious or fraudulent use. These attacks have a low level-of-effort and high rate-of-return. The attacks themselves are focused around convincing a recipient to click on a link or attachment or sending a password. Phishing emails frequently utilize subjects and content based around current events and other areas of interest in business, to increase likelihood of enticing a user to act. “Spear-Phishing” and “Whaling” are phishing attempts that have been especially crafted to target an even more specific group of individuals. Even if the email looks legitimate, beware! Attackers go through great lengths to trick you. They may be after your personal information or may install software on your computer without your knowledge to record every tap on the keyboard – including your usernames, passwords, and bank account numbers.
A Few Tips
The reason phishing and spear-phishing are so effective is that they target an individual directly. You are the last line of defense and practicing awareness is part of everyone's job. A few general tips to get staff started:
- Never provide passwords. Be wary of any request for this information as most legitimate providers of IT related services do not need to know passwords to provide assistance.
- If you are not a customer of a company that appears to be sending you an email, ignore it.
- Even if you are a customer, never respond directly to an email request from a company for personal or financial information.
- Never go to a web site from a link in an email.
- If an apparently legitimate Web site that you have visited before prompts you for a password, enter an incorrect one first.
- Only open email attachments if you're expecting them and know what they contain.
- If someone contacts you and says you've been a victim of fraud, verify the person's identity before you provide any personal information.
- Learn to look at the links. Phishers include links in their emails to lure you to fake sites that look like the real ones. If you know how URLs are constructed, you will be able to tell where a link is really sending you.
To find out where a link is really taking you, hover over it with your mouse pointer. If the URL that is displayed:
- Is only an IP address.
- Does not match the URL that is shown in the email content.
- Is long and confusing but includes a familiar term.
then it could mean that this is a phishing email.
Try hovering over the links below to see some examples.
- http://safe_and_friendly_company.com
- http://safe_and_friendly_company.com/login/
- http://www.google.com
Knowing how to see where a link is going to take you can help you identify phishing emails before you fall victim.