PhishingPhishing e-mails are not merely annoyances like spam, they are real threats to your privacy and online security! Of the myriad ways criminals try to steal online identities, phishing is by far most common.
What is a Phishing Attack?
A phishing attack is a method used by criminal hackers to dupe their victims into giving up their credentials or other information in order to gain unauthorized access to their account(s) and take over their identity and/or finances. Most phishing attacks begin with a user receiving an unsolicited e-mail that appears to come from their company's IT department or help desk, a shipping courier, a government agency, a bank or some other financial institution, or any high-profile company with which one might do business. These e-mails are known as phishing e-mails. Phishing attacks; however, can also begin with an unsolicited phone call, text message, fax or even a flyer.
Some phishing e-mails are designed to trick you into clicking on a link which leads to your computer getting infected with malware - malware designed to watch your keystrokes and grab passwords or install "back doors" which hackers then use to take control of your computer. They then use your computer to hack in to systems and servers on your network and beyond. This is important to remember as even just clicking a link within a phishing e-mail can have bad consequences.
Example 1: The "IT Help Desk Account E-mail"
In this example, we see the classic e-mail that looks like it comes from a help desk asking for your username and password in order to ensure your account is not turned off. This is quite common. Often, the subject line is something akin to, "Warning! E-mail Quota Limit" or something similar. The e-mails often threaten, "permanent deletion," or "infection!!!"
It is important to remember that most legitimate organizations do not e-mail you asking you to click a link and enter your username and password in order to keep you e-mail flowing. While some organizations do practice this type of contact with their end users, they go to great strides to use proper English and a common template. Either way, always, always
be weary of links embedded in an e-mail especially when the e-mail is unsolicited. As you see in this e-mail below, you can tell it is a phishing attempt by hovering your mouse over the "CLICK HERE" link. Notice (in the bottom image) how the link goes to some place other than colgate.edu?
Try it. Hover your mouse (don't click) over this link, http://www.yourbank.com
. Notice what it says in the bottom-left of your browser? Creating links in an e-mail like this is trivial to the common criminal hacker.
Example 2: "The Shipping Fraud E-mail"
In this example, notice the e-mail looks like it came from usps.com. The body of the message even looks like an e-mail you might get concerning a legitimate shipping transaction!
Once again, if you were to hover over the links in the actual e-mail, you'd notice the what the link says and where it points to are not the same place!
How to Spot a Phishing E-mail
We've seen above that one of the ways you can spot a phishing e-mail is to hover-over the link (don't click) and see if the actual link matches the text displayed in the body of the e-mail. Here are more things to look for when determining if the e-mail you received is legitimate:
- Did the e-mail come to you unsolicited?
- Is the sender a stranger to you?
- Is the sender's e-mail address domain different from the company's web site?
- Is the link in the e-mail different from the organization it claims to be?
- Does the e-mail claim to be from a help desk and talk about account "quotas"?
- Does the e-mail claim to be from a help desk and talk about infections?
- Does the e-mail claim to be from a law enforcement agency?
- Is the e-mail from an online shopping site you never use or haven't used lately?
- Does the "To:" field in the e-mail list hundreds of names and e-mail addresses?
- Does the e-mail sound threatening in any way, especially legally or financially?
- Does the sender of the e-mail use poor grammar?
- Does the link go to (example) "colgate.webs.com"? (not colgate.edu)
- Does the link say, "c0lgate.com" instead of colgate.edu?
- Is the e-mail from an individual's e-mail address instead of an official account?
- Is it tax season?
- Is it a holiday season?
- Has there been a major tragedy in the news lately?
- Did you receive the e-mail early in the morning or late at night (after hours)?
If you can answer yes to any one (or more) of these questions, the e-mail may be a phishing attempt. Phishers like to use "scare" tactics as well as humanitarian needs to dupe their victims into clicking their links and providing their information. They often try hard to make the e-mail look legit and avoid sending their e-mails during normal business hours.
How Can I Protect Myself?
Protecting oneself from a phishing attack is not complicated; however, as phishing e-mails become more sophisticated, it becomes the potential to become a victim is greater. Here are some tips to avoid becoming a victim, steps you can take that would minimize the damage if you do, and steps you should take if you do fall victim to a phishing scam.
How to avoid it...
There are many ways to avoid becoming a victim of phishing and to prevent its propagation.
- Be skeptical and vigilant. Ask yourself the questions listed above when reading your e-mails.
- Turn on spam filtering. While this won't catch all phishing e-mails, it will catch some.
- Never click the links in any unknown, unsolicited e-mail, ever.
- Install and use antivirus software on your computer that scans incoming e-mails.
- Always keep your computer, its browsers, plug-ins and antivirus up-to-date.
- Report incidents to ITS and/or the real institution portrayed in the e-mail.
- Send phishing e-mails to your Spam folder by following these instructions.
How to minimize it...
There are many things you can do to minimize the impact of a phishing scam should you become a victim.
- Don't use your business e-mail for personal use.
- Never send passwords, credit card, bank account, or social security numbers in an e-mail, ever.
- Change your passwords often and never use the same password on different accounts.
- Purge your inbox on occasion.
- Don't use e-mail for sensitive conversations.
- Report incidents immediately.
How to recover from it...
Even if you just clicked the link and didn't give-out your credentials, you should do the following. The link may have installed malware that collects your information as you type.
- Report the incident to ITS immediately.
- Report the incident to the real institution ASAP.
- Run a virus scan on your computer (yes, even on a Mac).
- On a clean computer, change your password(s) on all your accounts.
- If your bank account may be compromised, enroll in a credit monitoring service.
- Watch for suspicious activity in all your online accounts.
What Does a Real Colgate "ITS Alert" E-mail Look Like?
Our ITS department will send you actual alerts from time-to-time. These alerts follow a specific pattern, come from designated senders and accounts, and never threaten to shut off your account or send you to sites which ask you to "verify" your account credentials. Our e-mails will always come from one of the following three accounts: ITSAlerts@colgate.edu
Example of an authentic ITS alert e-mail
Why is Phishing So Dangerous (and Effective)?
Phishing attacks are designed to take advantage of their victims through manipulation - often through fear. The e-mails are made to look legitimate to make you trust the information. The subject is meant to make you feel uncomfortable (financially or otherwise). These e-mails often provide their reader a way to "correct" the situation.
For example, in the first example above, the e-mail looks like it comes from a legitimate source (trust). It then says your account has been infected and may be shut off (discomfort / fear). Finally, it gives you a way to correct the situation by providing a link (power). To boot, this e-mail provokes the victim to act quickly by displaying an arbitrary time limit (48 hours) in which to react before losing all their information.
Phishing attacks are dangerous because of the data a hacker gets access to through a compromised account. Once a criminal gets access to their victim’s e-mail account, they have access to everything the victim uses their e-mail account for - for example, communications with their bank(s), travel agents, co-workers, family & friends, and other online services. In other words, if the e-mail account you use to verify your identity when you forget your Facebook or bank password is compromised through a phishing attack, the criminal can now reset your Facebook and bank passwords too!
Many of us take the proper precautions and do not mix our business e-mail accounts with personal matters such as in the example above. Many of us do not have sensitive information stored in our e-mail or online in online documents. This is; however, still a treasure trove for the criminal hacker. Imagine, if you will, your e-mail account is used on a regular basis to send mass e-mails to a large part or all of the Colgate community. Every user on campus or in your department may instinctually trust your e-mails and take actions asked of them by you in their e-mails. Thus, a hacker may hijack your e-mail account and use it to propagate another phishing attack - and keep doing so until they gather as many passwords and as much inside information they can get their hands on. Additionally, while you alone may not have all of what a hacker is looking for, you may have (in your e-mail account) some of what they need to put the pieces together. For instance, perhaps you OK wire-transfers or were part of a hiring search committee in the past.
Lastly, some phishing attacks are made to propagate malware and viruses. Sometimes merely clicking the link in a phishing e-mail can install a virus or “backdoor” into your computer which hackers can then use to take control of your computer without your knowledge - using it to steal passwords as you type or to launch cyber-attacks against other systems and servers.
How Does Phishing Work?
Phishing works by exploiting your trust that an urgent communication has come from a legitimate source. It then points its victim to a web site or Google Form that also looks legitimate. Often, the messages refer to password/e-mail account resets, shipping notices, tax refunds or payroll changes - anything which would spark your "urgent" curiosity.
A criminal creates a phishing e-mail by one of several methods. Two common methods are open mail relays on the Internet, or malware designed to launch e-mails from infected machines. Either way, the end result is an e-mail whose "FROM" line looks as though it came from a real e-mail address in a real organization or perhaps even a friend. Often this is done not only to trick the reader but spam filters as well.
The body of the e-mail message is also made to look like a legitimate e-mail from the purported source. Take, for example, the phishing e-mail in the second example below. Notice how the message looks like it came from the US Postal Service. At first glance, one would think this e-mail is completely legitimate - it looks exactly like the real thing.
The links in the e-mail, however, are where the poison is at. Notice the links say they point to www.usps.com/clicknship? In reality, they don't point the user there. These links actually point the user to a link which installs malware on their machine or sends them to a web server that has a copy of the real website. Often the fake websites are hosted on free web hosting services or on other hacked servers and machines. This and the use of open mail relays and hacked machines to send the e-mails makes tracking down these criminals extremely difficult, if not impossible.
Where Can I Learn More?
The following links are a good resource for learning more about phishing: SC Magazine PayPal US-CERT Wikipedia