Phishing
Phishing (pronounced “fishing”) is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details or other sensitive details, by impersonating oneself as a trustworthy entity in a digital communication. Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. Wikipedia
COMMON PHISHING TACTICS
Phishing is by far the most common form of cyber-crime reported to the FBI’s Internet Crime Complaint Center (IC3). Common phishing tactics include:
- Messages warning of an impending de-activation or closure of an account, and a link to a website to ‘verify’ your account – which actually steals your credentials. Sometimes they will make the scary claim that your account was compromised, and you must prove your identity.
- Offer of a job to the recipient. Usually this is an unsolicited job that offers unrealistically high pay, and with no interview or a few perfunctory questions by email. Eventually, the criminal will either ask for personal information “for payroll purposes” which is actually used for identity theft. Another common tactic will be to ask the new ‘employee’ to purchase some goods – sometimes a list of ‘supplies’ needed for the job or gift cards, with a promise of being reimbursed.
- Urgent messages claiming to be from an executive or other important person asking for a time-sensitive favor, which often involves buying gift-cards and replying with the gift card numbers or photos of the cards.
- Messages claiming to be from a store or common service (such as Netflix) pretending that payment was denied for a recent purchase and directing you to a (fake) website to have you re-enter your credit card information.
- A forged message from a bank alerting you to an account update you need to perform, or that a fraudulent transaction was suspected, and you need to login immediately to resolve it.
- Messages claiming to be from the IRS, the FBI, or other government agencies. Sometimes they get your hopes up and pretend that you have a big tax refund waiting, and sometimes they accuse you of committing some crime or threaten you with penalties.
PROTECTIVE MEASURES - DON'T GET HOOKED
Learn to recognize phishing, they often…
- Attempt to build credibility by spoofing a real company or university. Often, the messages are laughably bad, but many are incredibly believable facsimiles of real messages. The most dangerous are personalized specifically for you, referred to as spear phishing, using knowledge about you or your work.
- Create a false urgency requiring a quick response – such as warning that your account will be closed
- Insist on a call to action – urge you to click a link or reply with information
- Do not address you by name or include other information specific only to you
Use common sense when giving out personal information
- Be suspicious by default
- Check the email for fake web links or fake web addresses
- Never give out account or personal information by email
- Remember, GRC will never ask you for your password. Only enter your password into official GRC login pages.
Verify the information reported in the e-mail
- If in doubt, call customer support or, in the case of GRC email, call the GRC student or employee IT helpdesk to validate the message
- If the message claims to be from someone at GRC, look the sender up in the GRC Directory and call them using the number listed, or send a separate message to their official GRC email address asking them to confirm that they had contacted you.
ANATOMY OF A PHISH - "PHISH GUTS!"
Spear Phishing Example 1
Spear Phishing Example 2
Lottery Scam example
Nigerian Scam Example
CAN YOU SPOT PHISHING?
Take this phishing quiz from Google, which presents realistic examples of phishing messages and authentic messages for you to choose from. It will also point out clues to help you identify fraudulent messages.