Phishing: “Trust Me…”

October is recognized as Cyber Security Awareness Month, so what better way to start a weekly Tech Tuesday piece than with a relevant topic that we can all benefit from?

No, this is not an article about the finer points of fly reels and tackle to bring along to catch sea bass. Phishing is a term used to describe a type of typically email-borne attack that affects hundreds of millions of people each year. Here’s the description Wikipedia gives for phishing:

“Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.”

Allow me to translate that to English. Phishing is when someone tries to obtain personal information from you by posing as a legitimate source. Phishing can take place over any electronic medium, but email is primarily where the bulk of phishing attacks originate. So, how can you identify a phishing email? Most phishing emails have a few things in common:

Lack of Personal Info

Most phishing emails are written to be widely applicable, so they will almost never include any personal information like names, addresses, phone numbers, salutations or greetings, etc.  Here’s an example of what I mean:

            “Hello sir or madam,

             Your password has expired. Please click here to change it.
             Thank you,

             Customer Support.”

Notice how that message has zero personal information? The sender and recipient could be anyone, and it would still be appropriate.

They Need You to Act

Phishing emails need you to perform some action in order for them to work. This could be any of the following:

·       Going to a webpage

·       Responding with personal information

·       Downloading a file

·       Sending money

This is the whole point of phishing: The email is the bait, and they want you to bite. Once you provide that information, you’re on the hook.

The Source Does Not Matter!

This is one of the hardest things to come to terms with. Just because an email looks like it is from a particular sender, does not mean it came from them. The “From” address in an email can be forged by an attacker who knows what they are doing.

A Sense of Urgency or Danger

For most scams to work, they need a way to coerce people into not thinking about a situation rationally. This is done with very high stakes or consequences, or by imposing a sense of urgency. Take the short email we looked at above, but let’s modify it a bit to highlight exactly what I mean:

 

            “Hello sir or madam,
Due to a recent security breach, your password may have been stolen. This could lead to identity theft, credit card fraud or your personal information being available to cyber criminals. We strongly urge you for your own safety to click here to change your password.
             Thank you,
             Customer Support.”

The above has it all! A time limit, impending consequences if you don’t comply with their request, and an appeal to one of the most basic human emotions: fear. The intention of phishing emails like this is to get you to panic and buy into the scam BEFORE you have a chance to rationally evaluate the situation.

It’s a dangerous world out there!

Yes, it is. However, with the right tools and knowledge, you can protect yourself, and you don’t even need a tinfoil hat to do it. Here are some best practices to follow if you suspect an email is a phishing email:

1. Don’t panic! If Douglas Adams taught us anything, it’s that whales can’t fly, and not to panic.  If it is a phishing email, they want you to panic and act quickly rather than logically.

2. Check the links. If the email wants you to open an attachment or respond to the email with some information, proceed to step 3. Most phishing emails will want you to click a link. Using JAWS makes this a bit tricky, but here’s how:

  • Locate the link, and use your applications key to open the right-click menu. If you don’t use JAWS, you can just right-click as normal.
  • Use your arrow keys to move down to an option that is something similar to “Copy link location.”  Other possibilities are “Copy URL,” or simply “Copy link.”  This option varies based on what program you are using to read the email.  This copies the web page you will be taken to should you open the link.
  • Open a text document and paste in the link. Check if the link is actually taking you to where it says it is. If the email is from PayPal, and the link goes to a website you have never heard of, it’s a big red flag it could be a phishing email.

3. Contact the sender. Avoid using the contact information provided in the email. If the email is from Amazon, go find the Amazon customer service number on their website, and speak with someone about the email you have received.

The above is but a primer on the topic of phishing. The best defense against phishing emails, in the end, is critical thinking. Nothing sent via email is going to demand immediate attention: that’s what phone calls are for. And yes, phishing can take place over the phone, too. If ever you still have doubts about an email, err on the side of caution. For further reading...


Brian Upshaw is the IT Systems Administrator and Desktop Support Technician instructor for World Services for the Blind. Having been visually impaired his whole life, he fell in love with technology when he was 11 after accidentally breaking—and then fixing—his grandparents' computer. Before graduating high school, he had learned five programming languages, led two development teams and even helped jumpstart a friend’s web hosting company. Outside of work, he enjoys video games, music, philosophy, street magic and playing with his guide dog, Morgan.