You Need an Attack Plan Against Phishing and Spoofing. Here’s Your 5-Step M.O.
Spam has come a long way from Nigerian princes offering you a percentage of the millions in cash they need help moving to a U.S. bank account. It’s evolved into phishing, which fools you into revealing confidential information such as usernames and passwords; and spoofing, counterfeit emails sent with the intent of tricking you into taking reckless actions, usually downloading malware. Both have become sophisticated, subversive and very, very dangerous.
How bad is it? From January 1 to January 28 of 2019, Online Trading Academy’s security software and firewalls blocked 122,383 spam emails from reaching our employees, many of them phishing and spoofing attempts. That’s more than 4,500 per day!
Both phishing and spoofing try to manipulate you into divulging information or allowing access to your computer. They will sometime use what is called social engineering, which is the use of psychological manipulation to trick you into opening an email and giving away information or making a security mistake. They do this by scanning the web and searching for readily available pertinent information. It could be a press release about executive moves in a company, a roster of employees—anything freely available online they can get to produce a counterfeit email or message. Their goal is to get you to lower your defenses and open the email by including something you know to be true or are expecting (“An Important Message From Our New Company President!”).
Here are 5 steps you can take right now to help size up and access the legitimacy of an email. You should apply these to every single email you receive, whether it’s from a work or personal account.
1. Never Trust a Display Name
Scammers can use anything for a display name: your bank, a company you’ve done business with, a trusted brand or even someone you know. It looks legitimate because it’s usually the only piece of information your inbox displays. Carefully check the domain name of the email; it may vary by just a single character from the legitimate server. Give every header a double take.
2. Don’t Click a Link or an Attachment Unless You Know Exactly What Will Happen
Just because a link is recognizable and appears safe, that’s not always the case; the hyperlink behind it could take you anywhere. Hover your mouse over the link and scrutinize the address. Make sure it lines up to a legitimate site. If you have any doubt at all, do a Google search and use your browser to get to the site.
3. Don’t Submit Personal Credentials Through an Email Link
Avoid transferring any sensitive information through an email. A bank, financial institution, credit card company or any legitimate company you do business with will never ask for your username, password or account number via email.
4. Check for Spelling, Grammar, and Anything that Looks or Feels “Off”
Thankfully, phishers and spoofers are notoriously bad spellers and sloppy with English. Any email you receive from a legitimate company has been proofed many times and by many eyes. Be on the alert if an email or subject line uses urgent or aggressive language such as “Your Account Has Been Suspended” or “Change Your Password Immediately.” Scrutinize the credentials in the email. And double check that header: your bank is not going to send you an important email addressed to “Valued Customer.” Extortion-type emails are a newer and darker turn in the phishing wars. They may flaunt some information they have of yours from a data breach, like an old password, and claim they have accessed your computer and have evidence of suspect activities. Don’t fall for it.
5. Open Every Email in Think Mode
I don’t like being actively suspicious about every email I receive, but I am, and unfortunately, in this day and age, you have to be. I can defuse some quickly; if I’ve just had a conversation with somebody and I’m expecting a response, I know it’s pretty safe. You should only open an email if you’re expecting it, and even then, don’t trust it quite yet. Make sure there are no red flags, and it passes all your tests. And whatever you do, don’t click on any attachment until after you have read the email and verify that it’s safe.
Google has a very cool (and tricky) personalized online quiz to help you learn to tell when you’re being phished (Go ahead and hover over the link, it’s safe!). Try it. As much as I like to think I know all the techniques spammers use, even I got one of the quiz examples wrong. Spoofing and phishing attacks are a cat and mouse game, and at Online Trading Academy we are continually updating our software and defenses to stay ahead of it.