After hearing about the many Amazon scam attempts over the holiday season, and with tax season (and the inevitable wave of IRS impersonators that accompany it) rapidly approaching, we feel as though it is a prime time to review the risk of phishing attempts and how to easily detect and avoid them.
What is phishing?
Phishing is a malicious attempt to extract personal information (name, passwords, account numbers, social security numbers, etc.) from you in which the scammer attempts to masquerade as a well-known or trusted business or organization. Phishing attempts can come in many forms. The most common variation is e-mail, but phone calls and text messages can often be used as initial contact and probe attempts. Scammers will often go to great lengths to make their phishing attempts seem as legitimate as possible, but with a bit of scrutiny, we are able to detect these fraudulent communications for what they are.
5 Tips to identify and avoid phishing attempts:
1. Remember that most of the organizations you deal with already know who you are. The IRS, for example, is never going to call you and ask you to verify your social security number, and your bank is never going to drop you a text asking to verify your credit cards numbers. Any electronic communication asking for personal identification information should be viewed with suspicion.
2. Always check who sent the email. Scammers will often use spoofed or fake email addresses that are very similar to what the company they are impersonating uses. Be sure to examine the “From” address field in the email you receive to see who is sending the communication. A message from wellsfargo.com is likely legitimate, while an email from wellsfrago.com will often read the same to our eye but is not associated with the financial institution in any way.
3. Never click links found within a suspicious email. Links contained within phishing email will often take you to spoofed or redirected sites that appear legitimate, but are designed to steal your information. Manually type the URL for the site you may need to visit into your web browser, or search for it via a search engine if you feel the need to investigate.
4. Verify web site security. When filling out forms online, be sure to verify that the web site you are using is secure. In the URL bar, the address should start with HTTPS:// and there should be a lock icon present to verify the security of the web page. The validity of the lock icon can be inspected via a double click, which will display the security certificate information for the web site. Even if you are on a trusted company's web site, do not submit any personal information via an unsecure connection or web page.
5. When in doubt, call. If there is ever any doubt or suspicion concerning the validity of an email, call, or text received from a company, call and ask about it. The company in question will be able to easily confirm or deny the validity of the communication.
Example phishing attempt:
In addition to the tips listed above, we have included an example of a recently received phishing email to further illustrate how “official” they can seem, while also highlighting some easy tells as to the phony nature of the communication.
|From: Apple [mailto:email@example.com] Original email address does not belong to Apple
Sent: Monday, December 05, 2016 2:51 PM
Subject: Your Apple ID has been suspended [#719938]Dear Customer, Generic salutationWe recently failed to validate your payment information, therefore we need to ask you to complete a short verification process in order to verify your account.Click here to validate your account information Hover to preview links before clicking on them, link leads to a non-Apple websiteFailure to complete our validation process could have an impact on your Apple ID status.We take every step needed to automatically verify our users, unfortunately in this case we were unable to validate your details. The process will only take a couple of minutes and will allow us to maintain our high standards of securing your account.Wondering why you got this email?This email was sent automatically during routine checks. We are not completely satisfied with your account information and require you to update your account to continue using our services uninterrupted.
For more information, see our FAQ (http://www.apple.com/uk/support/appleid/). Link back to legitimate Apple site adds validity to email
By Brandon Kaylor
Desktop Support Technician
Central Texas Technology Solutions