Ever heard of phishing? Even if you don’t know the word, I’m sure that you’ve seen it in action. If you’ve ever received a suspicious email asking for your credentials, someone’s been phishing. And just like the kind of fishing that’s a lot of fun on the weekends, these phishing scams dangle a baited hook. The difference is that their target is you.
Although you’ve most likely found them in your email’s inbox, it’s possible to find these tricks being used in instant messaging, chat requests, social media sites, texts, and even phone calls. I’ve been seeing more and more recently, and some are pretty clever. Because you’ll encounter them too, it’s now an essential skill of modern life to spot these hucksters before they have a chance to make their mark.
What’s the bait?
Like all good liars, these scammers know that the closer they hew to the truth, the more believable their story. They may try to disguise themselves as financial documentation: invoices, receipts, payment or shipping information. You can guarantee that they’ll use words like “urgent” and “immediate action required” to further draw you in. Although some more sophisticated scams are focused on a specific person or group (like a CEO or employees in a certain division) most try to reach as many people as possible. They know that if they ask enough people to respond to their “official CitiBank account update” that eventually they’ll find a CitiBank customer that clicks through without carefully studying the message. Also, if you get an unsolicited email telling you that the IRS/FBI/CIA is looking for you, they’re probably not. Those guys tend to be a little more direct.
Where’s the hook?
Phishing is the latest version of an old con called “social engineering.” It works by exploiting the trust of people instead of hacking the system. In other words, it’s sweet talking someone into giving you the keys instead of breaking down the door. More elegant for sure, but it leaves just as big a mess.
The two main tricks are Fraudulent Websites and Virus-Spreading Attachments. In the first scenario, you would be sent a link that directs you to a website set up to complete the fraud. This website might be very well designed, with slick graphics and great stock-photography of smiling people and happy pets. However, just because it looks legitimate doesn’t mean that it is. The website will prompt you to enter your credentials or sensitive information – perhaps just like you would on your institution’s real site – but it will then capture the results, passing them on to real people who don’t have your best financial interests at heart.
The second scenario involves attachments. The email would look similar to the one above, but instead of asking you to click through to a website, it asks you to download, save, or open an innocent looking attachment. Often the email will explain that this is something important for your records and that it must be opened immediately. This file could look like something as harmless as a PDF, but when you open it you’ll find that it also contains a virus designed to steal your information or take control of your computer. Again, this is a cast-the-net-wide technique. Although most people will simply ignore it, there will be a percentage of recipients that are expecting something from say, FedEx, and don’t question the message before it’s too late.
The next time you find a strange message in your inbox, think before you click. Double-checking a link only takes a second, and verifying a message just takes a phone call. But an infected computer or a hacked account could cause a month of headaches. Just like the real kind of fishing, removing the hook is the yucky part.