1 What is phishing?
Now that anti-virus and other security packages are so good, the bad guys have had to find another way to get into your computer. They do this by social engineering, just like in the ‘Hustle’ programs on the TV.
Whilst many people say that Macs and Linux machines can’t get viruses, they are just as susceptible to phishing as anyone else so read on…
2 The phishing attack
This is largely via an email inviting you to click a link or open an attachment. This action either:
● dumps a load of nasty stuff onto your computer and probably sends it on to others;
● gets you to type your security information into a web site.
But how do I spot one?
3 Typical ‘phishing’ emails
These claim to be from banks, Government, supermarkets, parcel companies and individuals – but it can be anyone.
4 Check the sender
First sense check is ‘do I know this person/organisation?’
If you don’t bank with Barclays, it is unlikely to really be them sending you an email.
Also just a first name is quite a giveaway – a tip for you is to make sure that your displayed name isn’t just ‘John’ or whatever to avoid this problem.
But even if you know the sender, it may be someone impersonating them – it’s quite easy to do.
5 Check the topic
Many people fall for the ‘someone has sent you a e-card’ message. But isn’t it likely that the sender would be named?
Does the topic seem like the sort of thing that this person would send you? Does it ‘feel’ like them in style, etc?
Also common is offering a discount card for a supermarket.
Remember the ‘too good to be true’ test!
6 Check the message
This sounds obvious, but if the message is ungrammatical or misspelt it probably isn’t from HMRC!
Here’s one apparently from Barclays:
Due to concerns, for the safety and integrity of your online account we have issued this warning message.
It has come to our attention that your account details need to be updated due to inactive members, frauds and spoof reports.
Please download the document attached to this email and fill carefully.
Do not ignore this message is for your security.
Barclays Bank PLC.
That doesn’t sound like a bank to me & why don’t they use my name?
7 Check the links
There may be a request to click a link. Here’s one from ‘Apple’, but really email@example.com:
Your Apple ID was used to sign in to iCloud on an iPhone 4.
Time: February 12, 2014 Operating System: iOS;6.0.1
If you have not recently signed in to an iPhone with your Apple ID and believe someone may have accessed your account, please click here to confirm your details and change your password.
The test is to ‘hover’ over the link and somewhere on your screen you will see where the link will really send you. In this case it goes to:
Hmmm. That’s not what we thought, is it?
And shortened links are equally dangerous: where is http://dld.bz/ZmxJ going to take you?
8 Still unsure?
8.1 Go direct to the website
If you still think it might be genuine, then go direct to the company website by typing the address you normally use into a browser yourself and logging in.
8.2 Ring them up
I’ve done this and asked people I know if they actually sent the email.
You can do the same to businesses if you want, but see the advice on ‘Phones’ below.
9 Don’t enter data
That’s what they want. Never, ever, ever enter your user names, passwords, PIN etc. A genuine email from the real people should never ask you for this: if they do, then move company!
10 Stay away from attachments
Here’s an email from ‘HMRC’
Annual Tax Review: Friday The 7th, Feb. 2014.
We are sending you this email because of your tax calculation.
Tax year ending 2012/2013 indicates you pay more tax than you should.
You are entitled to receive a tax refund.
Note: Download the form attached to this letter to complete your tax refund.
HM REVENUE AND CUSTOMS.
This is a great example of a phishing email. The feel is completely wrong, there is no personalisation and they want me to open an attachment. Well, my antivirus deleted the attachment saying that it was a virus but I wouldn’t have clicked on it anyway.
11 Never unsubscribe
This also applies to spam. Emails are sent out to random addresses. Unsubscribing tells them your address is genuine so you get loads more.
12 Other channels
There is a whole industry trying to break into twitter accounts. It happens along the lines of some you know apparently sends you a tweet along the lines of ‘I saw this about you’. You click on the link and whammo, you are compromised.
12.2 QR codes
These are little squares that you see on adverts or packages, like this:
You take a photo of them on a smartphone and they take you to a web site, download an app, whatever. Usually it’s fine but be careful of clicking them on a cheap leaflet, poster etc. as you don’t know where you’ll end up. Even IT security experts get suckered this way!
Yes, our old friend is used this way. You get rung up on your landline about a ‘problem’ and asked to verify your details. Now, you say you won’t give out your security data because you don’t know who they are (they have just rung up!) So you call the bank or whatever.
The clever bit is that they don’t put the phone down and it is the calling phone that ends the call. So you dial the number of the bank or whatever, the person at the other end takes you through the security questions and you feel happy. But you are still talking to the person who rang you up in the first place as that call is still live!
So when you do call back, check for a dialling tone before you dial.
Now you have the information that you need to prevent being attacked.
This is one in a series of guides from the flying doctor to help you keep your computer safe.