Last month we talked about some ways that you can help mitigate the likelihood of getting a virus, downloading malware or falling prey to a phishing attempt. This month we will touch on a few ways you can protect yourself from a phishing attempt.
For a bit of background on “phishing,” see Wikipedia.
“Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.”
E-mail and Phishing
E-mail is the main attack route for a phishing attempt, the goal of which is to steal your personal information. To help recognize a phishing attempt use these five guidelines.
- A non-specific or generic greeting.Internet criminals don’t normally setup mailing lists with users names autoloaded in, so their email messages usually start with:
- Dear Customer
- Dear Account Holder
- Dear PayPal user
- Fake links. A link in an email can be made to say anything in the text. Place the mouse cursor over the link and Outlook will display the actual link destination. In my example I made a link that displays as the Home Depot website but in reality is a link to the SHSU Homepage.
- Links to Non-secure login pages. All legitimate login pages will exist on a secure website. To see if the site you are on is secure look at the beginning of the address. Secure sites begin with “HTTPS:” not just “HTTP:”. The S at the end denotes that site as secure. If you are unsure about a page that claims to be secure you can click on the name of the company to the left of the URL address and see who has verified the website. For example SHSU’s SamWeb is located at HTTPS://SAMWEB.SHSU.EDU and we have been verified by GlobalSign as a secure site.
- Asking for personal information. The entire point of the phishing attempt is get you to give up your personal information (Social Security Number, Credit Card Number, Bank Account, Residential Address, etc.) so that they can either steal your identity or sell your contact information to companies around the world. Every company that you do business with probably already has all of the information that they need from you. If you think it might be a legitimate request for information then look up that company’s contact information online (not from the e-mail they sent you) and call them to confirm.
- Immediate Needs and Deadlines. Criminals don’t want to wait around for you to send them your vital information so they will put emergency notices and deadlines into their phishing attempts. They will frequently say that an account is going to expire within a few days if you don’t respond or that a service will be terminated and you will have to pay exorbinant reconnect fees. Don’t be fooled by this, take the time you need to verify that this is a real request before you give out any information, and whatever info you do give, do it over the phone and not via e-mail.