Anti-Phishing Tips

Phishing Countermeasures Articles:


 

Phishing scams are everywhere – in your inbox, your web browser, and even on your smartphone. Here are a few tips we hope will help prevent you from getting hooked.

Recognizing a Phishing Email

First and foremost, it’s important to know how to recognize an email that is actually a phishing scam. After all, as the Canadian Government reported, there are an estimated 156 million phishing emails sent PER DAY. This inevitably results in 80,000 clicks – don’t be one of them.

First, look at the sender’s address, not just the name, and make sure they match correctly.

It may say it’s from your bank or other corporation, but is it really? For example, PayPal or Amazon always have an email address that ends in their name like service@paypal.com or store-news@amazon.com. Sometimes spoofers will use an email address that looks sneakily similar (e.g. info@paypal.uk or amazon-alert@mail.com) but upon closer scrutiny does not follow the correct format.

TIP: Make sure your email reader is configured to “show the full header” or hit “reply all,” which will help reveal phony addresses. Here’s how to do it in Outlook via ExtendOffice.com:

s1

Next, look at the subject line.

Does it use proper spelling and grammar? Or is it threatening and/or urgent written in ALL CAPS? Many phishing scams come from Eastern Europe, Russia, or Brazil, so any misspellings are an immediate clue that it’s not legit. So is the use of all caps, which rarely happen in a professionally written email that comes from a legitimate source.

Third, look at the contents of the email.

Is it personally addressed to you? Does it have specific information about your account (i.e., the last 4 digits)? Again, is it written in proper English?

These are obvious red flags, but clever phishers may still be able to fool you. Many scam emails incorporate real company logos and legitimate-looking links.

For example, put your mouse over this link, but don’t click on it: My Chase Online Account

The URL that is revealed in the popup window shows it is not really a link to Chase – in this case it simply goes to a warning video from SecurityIQ, but in an actual scam it will take you to a phony website that could cause you harm.

s2

Image Source via http://tech.homesokc.com

TIP: Look for URL addresses that correctly match the company (chase.com, amazon.com, etc.) and beware of those that have unexpected dashes or numbers in them. Ebay has a page that goes into more detail about recognizing common spoofing tricks (for example they explain http://signin.ebay.com@10.19.32.4/ is not a real eBay address because of the @). Another important thing to note is that legitimate links from these types of institutions usually have an “https” URL, which signifies that it is a secure connection.

Finally, be suspicious of any and all attachments, especially if it is an .exe file!

While many anti-virus programs will block such files from being downloaded, sometimes they are hidden in .zip files or other archive. While photos (jpeg, png, gif) are more likely to be safe, as well as PDF, Word, or PowerPoint documents, you need to be wary because some may contain macros, which can infect computers.

TIP: If you aren’t expecting a file or attachment from someone, don’t open it! If it doesn’t feel right, go with your gut. If it’s from someone you know, follow up with a phone call or communication by a different method.

Now that we’ve given you some general tips, let’s examine a few more sophisticated examples from SecurityIQ’s library of phishing templates, shall we?

Security Awareness

Netflix Password Change

s3

With more than 46 million subscribers in the U.S., Netflix spoof emails are quite common. And while this email passes a couple of the tests outlined above (proper English, professional tone) note how it doesn’t mention the subscriber by name. If this were an actual email instead of a photo, you would also notice that the hyperlinks don’t pass the “hover” test, as they don’t go to netflix.com.

Security Update

s5

This is an innocuous-looking email that pretends to be from a corporate IT department asking a user to complete their security update. Again, were this a real email, you would first look to see who it is really from (likely doesn’t have the same .com address as your company) and it would fail both the personalization and hover test. If you received an email like this, a phone call to IT to confirm would be in order.

Notice to Appear

s4

This is the type of notification nobody likes to receive: a summons to appear in court. But several things should set off alarm bells that it’s not legit. First, the grammar is awkward, particularly for someone who claims to be a lawyer; second, these types of legal documents are usually delivered in person, not via email. Still, it has the recipient’s name and may cause someone who gets it to instinctively panic and click without thinking. (A 2008 phishing attack targeting high-level executives with a phony subpoena similar to this ensnared some 2,000 of its recipients.)

Secure Browsing

Another more insidious method of phishing can happen inadvertently when surfing the web. Visiting a website that has been attacked and hacked can result in malware being downloaded to your computer in the background (sometimes called “drive-by downloading”).

To protect against these types of intrusions, the latest versions of popular browsers like Chrome, Firefox, and Safari have built-in security techniques such as “sandboxing,” which prevents websites from accessing information on a user’s hard drive. They also compare websites the user is visiting against lists of recently reported malware or phishing sites, which are continually updated every 30 minutes. These security protocols are on by default so, unless they’ve been changed, users are likely protected, at least in theory.

The problem is, according to IBM, the majority of phishing sites do most of their damage within the first hour of being infected, possibly before they are even discovered and alerts are sent out. Older browsers and operating systems are particularly vulnerable, especially if they haven’t (or cannot) be updated.

To stay safer, some tech geeks recommend disabling and/or uninstalling Adobe Flash and Java, two programs with vulnerabilities that are popular entry points for malware and phishing. Gizmo’s freeware site has a detailed list of instructions as to how to harden your browser against these kinds of attacks.

At the very least, in order to stay secure, you need to make sure that you have the latest updates of Java and Flash and are running the most modern version of your browser your operating system can handle. All plug-ins and extensions need to be current or removed all together if they are too old. And don’t forget to install the latest system security updates, too!

Next, be careful where you surf. But if you think it’s only porn websites you should stay away from, think again. According to Cisco’s 2015 annual security report, U.S. aviation/travel websites are at the top of the list of malware hackers, with a factor of 5 (meaning you’re 5 times as likely to get hit) followed by media websites at 2.8. Other popular places to get hit with malware are torrent and pharmaceutical sites, meaning if you are trying to do something illegal like download movies or buy cheap Viagra without a prescription, you’re likely exposing yourself to trouble.

Speaking of exposing yourself, while pornographic websites are a popular source of malware infection, Symantec noted in 2012 that many phishers have moved on to less secure targets, particularly Christian or religious websites. (Many of the most popular porn sites like PornHub and XHamster say they want your repeat business and claim to vigorously fight against hacks; some say it’s the “fake” porn sites that are the source of most malware.)

Best Secure Browser and Extensions

Generally speaking, when it comes to surfing the web, you have four main choices: Chrome (from Google), Firefox (from Mozilla) Internet Explorer (from Microsoft), and Safari (from Apple). And, generally speaking again, they will all keep you reasonably safe from phishing and malware. Still, many experts feel that when it comes to enhanced security features, Chrome stands apart from the rest.

Chrome updates every 15 days and is based on an open-source platform, so vulnerabilities are often found and patched much more quickly. It also has a default safe browsing mode that gives the user a warning screen before visiting any possibly malicious websites.

s6

Source: google.com

Another nifty feature is a URL autocorrect, which helps prevent typosquatting, a phishing trick where thieves buy up misspelled URLs. (As we previously discovered in an article on link manipulation, 80% of misspelled URLs send the user to a phishing website.) Chrome also has a sandboxing feature, which prevents malware installation and lets you disable Javascript, which can reduce vulnerabilities; you can toggle it on for specific/trusted websites.

Regardless of the platform, to stay as safe as you can, you might want to add some anti-phishing extensions. Some current popular add-ons include Bitdefender, a cross-browser app that includes a link scanner for Facebook and Twitter, and KB SSL for Chrome, which makes sure you are connected to websites via an SSL (secure) connection whenever possible.

The bottom line is: Don’t download any videos or software from any illegal websites and think twice about clicking a banner ad, especially if it seems too good to be true (Free iPad, anyone?). Make sure your Flash and Java are always up to date, and have some kind of virus protection installed on your computer.

To test the vulnerability of your co-workers or employees, we encourage you to sign up with SecurityIQ and create or send phishing emails designed like the ones shown above. Knowledge is power and is the only way to truly keep you safe from hackers, scammers, and thieves.

Be Safe

Section Guide

Stephen
Moramarco

View more articles from Stephen

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Stephen
Moramarco

View more articles from Stephen