In these times of pandemic, many good people (like essential workers, first responders, and doers of random acts of kindness and charity) continue to help others. Unfortunately, there are those that continue to prey upon others by casting snares to compromise confidential and sensitive information like social security numbers, credit card numbers, and passwords.
This is generally known as “phishing” and the ordinary citizen would be surprised at the sophistication of these attacks, the simplicity of these attacks, and the effectiveness of attacks on personal data (and $aving$).
Phishing is decades old and, as technology advances, phishing attacks grow exponentially due to the increased accessibility to people and businesses. This article briefly addresses some of the more common phishing attacks and countermeasures.
The Primordial Sea
The early days of phishing featured scams where subjects were approached via email by purportedly jailed African princes looking to reward others for helping “royalty” free their vast fortunes. It took a while for the most greedy prey to realize that they were being scammed. Although similarly themed scams still abound, these days phishing attacks can be much more sophisticated in their approach, look, and feel.
Phisherman’s Tools of the Trade
Yes, the phisherman’s bait box includes worms like malware, link manipulation, “spearphishing” , “spoofed” emails, and “vishing” and other sophisticated techniques designed to ensnare your private and confidential information. I could author a separate article for each and every one of the numerous traps that can be laid for the unsuspecting person or business. However, this article will serve only as a brief and general description of more prevalent phishing hooks/bait and some common sense wake-up calls and protections to combat the unwanted trawler.
Common attacks include emails that can contain malware and other nasty “launchables”. Attacks can allow the cybercriminal to track your keystrokes, gain access to your data, and authorize your device to run other functions and programs. The criminal casters can “spoof” legitimate vendors. Did you get an email about tracking a surprise FedEx delivery, resetting a password, an “automatic response” from a vendor/email you did not contact, a failed log-in attempt, confirming a purchase, or renewing your virus protection software? BE CAREFUL! Also, some phishing emails can blindly extort you by notifying you that your private information or photos have been accessed, and then demand a ransom. For businesses, hackers gain access to key information systems via compromised passwords or other weak IT security protocols, and then cripple the business by shutting down information technology systems until a ransom is paid. Similar to the old “send me money to help free my fortune” scams, beware general inquiries to your business “info@” email address. Venture capitalists with millions to invest in your business don’t send general solicitations to “contact us” email boxes. Although credit card companies and financial institutions greatly enhanced their fraud prevention programs, these programs result in email traffic confirming purchases which means you must increase your diligence to sort out the bona fide notifications. Set your credit card and banking notifications to low dollar amounts. Typically, your compromised data will be tested with a small purchase before the “Pretty Woman” shopping spree begins.
We all get unsolicited phone calls at home or on our cell phones. These calls range from the completely bogus phish to the legitimate business call. Even the calls that are arguably legitimate typically try to sell you on a product or service that you don’t desire (or need) … not to mention automated Chinese language calls (which are typically an attempt to threaten Chinese foreign nationals with deportation unless they pay a fee by phone). The Internal Revenue Service or a criminal/enforcement division of a government agency rarely (if ever) calls first.
So, what’s a phisherman desired catch? Tasty hooked information includes: access to laptops and personal computers, passwords, Social Security numbers, access to bank accounts and credit card numbers, and the equity in your home (with your Social Security number, phisherman can remotely apply for a home equity loan on your house). Many times, the phisherman sells your information on the dark web. That’s how they make their money. The buyer of that info, in turn, makes new credit cards and then sells those cards to the shoppers. For an entertaining factual accounting of this kind of cybercrime, read Kingpin which chronicles the exploits of a computer hacker who stole access to nearly two million credit card accounts.
So, what are some very basic protections that we “phish“ can use to avoid the hook? Here’s a brief list of some anti-phishing tactics:
* Never provide your Social Security number or any private or confidential information if you have any doubts.
* Regularly change your passwords. Make your passwords somewhat complex by using numbers and symbols and a mix of both upper case letters and lower case letters. Never use the same password for different vendors, websites or financial institutions (otherwise one password breach will ripple through your pond of privacy and financial protection). Use a secure password keeper on your cell phone to track and keep all your relatively complex passwords. Try to have a backup for that password keeper just in case your phone fails. Don’t let anyone know what your passwords are or where you keep your passwords. All this is worth the risk of the outrage of your teenage children when they can’t instantaneously access Netflix.
* Don’t click on suspicious email embedded links. This is not Storage Wars and the link won’t likely bring you to a storage locker full of goodies.
* Don’t store credit card numbers on websites. Otherwise, you are trusting that vendor’s security protocols.
* If you think there is a remote chance that the request for information is for a legitimate reason, don’t reply to an email, don’t click on any embedded link, and (in the case of a phone call) hang up the phone first. Then, find out the legitimate contact information of the subject vendor, confirm that contact information, and then call them directly (or visit their website via your own direct search).
* In the case of apparent spoofed emails, run your cursor over the sender’s email address. If the email shows to be a gmail account or a strange looking email address with lots of numbers and/or a suffix not related to the vendor, delete the email. In fact, it’s probably good practice to permanently delete anything you suspect as being fraudulent. If you feel like a credit card alert could be legit, where possible, download the financing institution’s bona fide app to your phone and monitor your purchases via secure application.
* On your cell phone, each time you get one of these unsolicited phishing calls, block the number. For me, this reduced the number of anonymous Chinese calls and requests to extend car warranties by over half. You can block numbers both on your cell phone and, if your home phone number is supported by VOIP, you can also block numbers via your service provider’s website (I know that Optimum allows you to do this). Using the national Do Not Call Registry is a good idea (www.donotcall.gov).
* Add a credit monitoring app to your phone. Credit Karma is pretty good. If your information has already been compromised (for example if a large financial institution’s database was breached and your Social Security number is out there), upgrade to a monthly subscription service that’s more aggressive in its monitoring. In addition, by contacting any of the four major credit agencies (EquiFax, TransUnion, Innovis and Experian), you can put a personal “credit freeze” in place. With a credit freeze in place at any one of the major agencies (the agencies share freezes with each other), no third-party can pull credit on you without having the freeze lifted which can only be done by your action. The https://www.OptOutPrescreen.com service protects from unauthorized credit checks. Thus, you won’t get a surprise home equity loan on your house or a Best Buy credit card in your name for the purchase of an entirely new suite of kitchen appliances shipped elsewhere. Yes, it adds an extra level of diligence when you want to use new credit financing for your own situation (for example, a new car lease), but the protection is sound. By the way, as a general rule, you are not responsible for fraudulent credit card purchases.
* Ignore general solicitations for investment in your business through people you don’t know. Share information only after vetting a third party, then seek out an attorney to draw an appropriate confidentiality agreement for your business which includes a no-solicit provision. If a legitimate someone is truly interested in investing in your business, they will find you through more direct business introductions.
* Yes, we all want to increase our social networking profile. BUT, accepting a new friend or a new LinkedIn contact may come at a cost. Take the time to figure out truly whether you know this person or whether networking with them will be beneficial (after briefly vetting the background through publicly available tools).
* Don’t engage anonymous extortionists or blackmailers (unless they separately convince you that they do truly have the goods on you and, in which event, consider hiring a private detective, lawyer and reaching out to the police).
* I know this next one’s going to be a downer… BUT … resist the temptation of pranking back the anonymous caller or emailer. As much fun as it could be to spend a half hour on the phone messing with a telemarketer or replying to unsolicited email with a “Get lost!” (or less nice words), why make yourself a target for a sophisticated hacker type?
* For businesses, train your employees and make them savvy about the items we discussed. They too should not click on any potential spoofing emails on business devices. Teach them to report any potential incursions to your IT department. Discourage (or prohibit) Internet browsing from company devices. Make sure that employees regularly change passwords. Challenge your employees to safely store passwords (rather than on Post-its attached to computer monitors).
* Yes, all of our time is precious, but putting two factor authorization on websites and applications is great protection.
* SHRED, SHRED, and SHRED some more. While reviewing your (snail) mail, sort it. When done, SHRED all mail that contains personal information. Credit card company flyers enticing you to apply for a new card typically no longer allow third parties to use that flyer/application to open credit in your name….but…SHRED THEM ANYWAY. Using https://www.OptOutPrescreen.com can also reduce your junk mail.
* There are websites (like www.scambusters.org) that can help you debunk myths and check for phishes and scams. If you are presented with an email or phone call that’s suspicious, take the time and describe the suspicious request and add the word “scam“ or “phish“ to a Google search. You can also Google the sender’s email or phone number (again, with the word “scam”).
* Listen to your “Little Voice”. One of my favorite TV shows in the 80s was Magnum, P.I. Solving mysteries, Thomas Magnum always listened to his “little voice”… which was his intuition barking at him. If somethings seems suspicious or too good to be true, listen to your intuition and back it up with logical analysis.
*DON’T PANIC. “Little Voice” or no “Little Voice”, slow down and think clearly.
Those are just some basic tactics that you can take to stay off the hook and protect your privacy and wallet. Remember, as we get smarter, phishermen get more creative. Stay vigilant!
For more information, please contact Robert Londin.