Authorship Credit: Dave Taylor, Director, Information Technology, Baker & Hostetler LLP
We are seeing a dramatic increase in spam and email phishing schemes once again. These schemes have become very sophisticated in their ability to mimic the multitudes of legitimate on-line transactions that occur every day. Please consider the following when reading and reacting to emails.
1. The bad guys love playing off of our emotions. So they have taken to all manner of “inspiring” a reaction (mouse click) from us. You have likely seen at least one of the following recently:
- A purchase confirmation for something you didn’t buy. PayPal, and eBay top the list for spoofs lately.
- A password reset or other account activity that you didn’t actually do. American Express, Verizon, Apple iTunes/App Store.
- A LinkedIn request from someone you don’t know.
- An enticing “offer” that seems to be based on something about you or that is actually legit or important to you – like a subscription offer to some compelling professional content. This must be real because this offer is only coming to me because it relates to my profession…
- A text message or IM that has a web link in it, usually congratulating you on winning $100 or something better!
2. Please keep the following in mind:
- If your name or email address is not in the To: field of an email, it’s a fake.
- If there are other names in the To: or Cc: field of the email, it is a fake. No company is going to send you private account info, receipts, or password reset requests AND send them to anyone else at the same time.
- No company or web site is going to send you an unsolicited password reset request via email.
- LinkedIn is being used more and more for phishing AND social engineering attempts. Even if the LinkedIn request actually takes you to LinkedIn, do not automatically accept invitations or connect with anyone you don’t know. Even if they appear to be connected with others you may know. Hackers and cyber criminals are using every means available to them to build a facade of credibility.
- Blackberry, iPhone, and iPad are not immune to malware and phishing attacks. In fact, because these devices are MOBILE, the bad guys are expecting that your guard is down when working from them. Many attacks are now designed to exploit vulnerabilities specific to mobile devices.
- Text messaging is now being used to launch phishing and malware attacks almost as frequently as email. And many of the mobile platforms are just now patching vulnerabilities that can be used to steal your personal information.
3. What can I do to protect myself and the firm from hackers and phishers?
- Pay close attention to any and every email you read. Train yourself to question the legitimacy of any email that “feels” wrong.
- Remind yourself to delay reacting to such emails especially from your mobile devices.
- Look for your name, and JUST your name, in the header of the email.
- Update your mobile device software frequently.
- Do not click on links in emails, especially from a mobile device; but if you must, at least …
- Practice the “hover” … by hovering your mouse cursor over a link, you will see the actual web address that you will be connected to. If it appears to be completely unrelated to the content of the email – i.e. does not include even the web site or business name, then it’s a fake. DO NOT CLICK on any such link.
- Read web links carefully. You must scroll to the end of the link to see where it’s actually taking you. Don’t be fooled by the first part of the web link. For example, this link is actually not related to American Express in any way … americanexpress.com.1243abc.badguy.com The domain in this case is badguy.com. They are not going to be as obvious as I am ! And from your mobile device, you might not even be able to scroll to the end. What if you only saw the beginning of that link “americanexpress” or “americanexpress.com” and the rest was not visible because of the window size … It would look completely legitimate to you. And guess what, the bad guys know this and hope that you don’t!!!