In security, it is often said that the biggest point of failure is usually the user. No matter how secure your system is, if people are not aware of basic rules, your IT systems are at risk. One of the most common types of attacks people should know about is phishing.
WHAT IS PHISHING?
Phishing is a fraudulent practice that consists of sending emails supposedly from a reputable company to get confidential information from individuals. The goal of phishing is usually to obtain passwords and credit cards numbers.
HOW TO DETECT PHISHING?
THE MOST BASIC RULE
If there is only one rule you should remember, it’s this one: if you’re not sure the email is from a legitimate source: do not open it.The same goes for attachments. Only click on them if you are sure they are safe. What looks like an invoice from a supplier may actually be a nasty virus that will infect your computer and, potentially, your network.Most companies will never ask you for confidential information via email. So, if you receive a message asking for your password there’s a good chance it’s fraudulent.If you want to stay safe, never put confidential information in emails.
SENDER AND RECIPIENT
If you doubt the legitimacy of a message, check the sender and recipient fields.
- Sender:Make sure the name of the company and service it originates from is spelled correctly. Also, check that the email address (text and link) are what they are supposed to be.
- Recipient:Always check that the email is addressed to you, with your name and email address spelled correctly. And, even if it is addressed to you, double-check that it is the email address that you actually use for that particular service.
THE EMAIL CONTENT
Spammers and scammers often operate from non-English speaking countries. Consequently, many phishing emails are easy to spot due to poor spelling and grammar. This should always be a huge warning.If everything still seems pretty good, it’s time to check the accuracy of the message.
How do they greet you? Do they use your real name or do they go with a generic “dear user”. The latter should make you suspicious.
If you’re asked to click on a link, make sure the text of the link is consistent with its target.
You’ve clicked the link already? Before going any further and entering any logging details or credit card info, check the URL to see if it is the website you think it is. You can also try to navigate the website as most scammers only copy one page for their pretend website.
If you follow all the above advice, you should be pretty safe from online phishing, but you should still be mindful of phone impersonation. Scammers are not relying solely on email to get personal information.
Most of us have received phone calls from our bank asking us for personal details to verify our identity before proceeding with the call. Such details usually include full name, date of birth and address. Think carefully before giving away that information. Are you sure the call is from your bank? When possible check the caller ID and refuse to answer these questions if the caller is not identified properly. This simple trick could protect you from online impersonation.
We should all be aware that people and companies are not always who they say they are. Without descending into complete paranoia, taking 2 minutes to check these small details could save you from many threats. As always, it is better to be safe than sorry.