Gone Phishing: The Catch of the Day is YOU!

There are a lot of bad people out there who want to steal your information and your money. I’ve already written multiple articles on why it’s important to have strong passwords. Cracking passwords is pretty mild compared to some of the more insidious ways hackers have of compromising your computer and accounts.

For example, they can control your computer’s camera and secretly watch you while you work.

They can install keylogger software that records every keystroke you make on your keyboard…meaning

they can steal all your passwords as you type them.

They can even get into your hard drive and see/take any files you have.

The good news is that they need to install software on your computer for these things to work. The bad (and really scary) news is that they typically get you to install it for them. Yes. You do it to yourself.

How? You fall for phishing scams, that’s how.

WHAT IS PHISHING?

Phishing is just what it sounds like. Hackers bait a hook and throw it into the great lake that is the Internet, hoping to catch something. But instead of a juicy nightcrawler, they use a juicy email for bait. And instead of catching fish…they’re catching YOU.

The people who do this use a lot of different tactics, but the overall concept is the same: The person who does this (let’s use the term “Evildoer”)…the Evildoer sends you an email with a link. Sometimes there’s a little text involved, but there’s always a link. You click the link and a malicious web site opens in your browser, only you don’t know it’s malicious. And as you’re looking at whatever is there, some malware (i.e., software designed for doing evil things) downloads to your computer and starts doing its evil work.

So let’s recap: They send out the bait, you bite and click the link, and your computer becomes infested with malware.

I know, you’re thinking, “but I never click on anything from someone I don’t know.” And the hackers know this, so they use lots of different tactics to overcome that hurdle. Tactics like these:

• They pretend that you won money. I’m sure you’ve figured out some of these. How many emails from Nigerian princes have you gotten lately? Yeah, I’ve gotten a bunch too. They also use lotteries and inheritances to lure people in. You believe you won something, you click the link, and they gotcha.
• The messages say something like, “this is the cutest thing EVER” or “You’ll never believe this” or “this is hilarious” or “check out this kitten/baby/puppy/girl in bikini” or…well, you get the idea. They make you think that you’re really going to enjoy whatever is on the other side of that link. You click it…and they gotcha.
• The emails say you received some sort of message from someone you know. Electronic greeting card is the most common, but you’ll also see emails that say you have a Skype or WhatsApp message or voice mail. You click the link because you don’t want to miss anything, and they gotcha.
• They look up your email in Facebook, Twitter, or LinkedIn, find out who your friends are, and they use those friends’ names in their emails. In other words, they make it look like the email is coming from someone you know to trick you into clicking it. You think, “Oh, Gertrude always sends the funniest stuff,” you click it, and they gotcha.
• They send out emails to scare you into clicking. I continually get emails that look like their coming from banks that say, “Your account has been suspended. Click here for more information.” They know people are paranoid about having their bank accounts hacked, so they pretend to be a bank reporting fraud. Another one I’ve been getting lately is eviction notices. They prey on your fear, you click the link, and they gotcha.

There are lots of other ways they try to entice you into clicking. You even have to be careful about emails that actually do come from friends and family. If a hacker cracks the email password, they can hijack the account and send bad links to everyone in that person’s address book. A tell-tale sign of this is getting an email with a link but no other message. People generally would at least address you (“Hey Ken, check this out” or something).

I should mention, though, that it’s not uncommon for people you do know to pass along the links. Take, for instance, Heinrich. He’s not too swift. He gets a message saying, “This cat is the cutest thing ever.” He loves cats, so he clicks the link. While the malware is downloading to his computer, he’s fully entertained by this cute cat video. He thinks, “Boy, would everyone I know just love that.” So he forwards the email to everyone he knows. Most of his acquaintances trust him, so they click the link. And while everyone is enjoying their cat video, they’re all getting infected.

SO, WHAT CAN YOU DO?

When it comes to phishing, you need to be vigilant. Some Evildoers are better than others. Some emails are obvious scams, but others are pretty convincing. Here are some measures you can take to minimize the possibility of handing over the keys to the kingdom:

1. Don’t trust links in emails. Unless I can tell that the person sending it is the person who actually did send it and that the site is reputable, I don’t click anything. Even if my mom sends me a link to something “cute” or “funny,” I generally don’t click it. And attached files are even worse. I refuse to open PowerPoint files that people send me by email. It might be a heartwarming tribute to our military…but it might also be infecting my computer.
2. Always look at the “From” email address associated with the email. It might have the name of your best friend, but the email address listed might be Evildoer@malware.kom. Names are super easy to spoof. If you recognize the name, but not the email address, delete the email at once.
3. Banks, credit cards, and other financial institutions will NEVER send you email about a problem. They will call you. Or send you actual mail. Maybe even knock on your door. If you ever get an email that looks like it’s from your bank or credit card warning you of a problem with your account, DO NOT click any links in it. Call the bank and ask them if there is a problem. Chances are that the email was a fake.
4. Use an anti-virus/anti-malware application on your computer and keep it up to date. And you don’t have to pay for these things, either. If you use Windows, you can use the free Security Essentials application from Microsoft. It’s excellent. For Mac, you can use something like Sophos or ClamXav. Both are free. I use Sophos, and it’s warned me a few times about bad links in emails.
5. Use a good web-based email account like Gmail, Yahoo, or Outlook. They have terrific spam filters and malware checkers that will filter out or flag most suspicious emails. Many of these will get the axe before you ever see them.

UPDATE

Within a few hours of writing this article, I received a few phishing emails. I figured I’d post one here so you can see some of the tell-tale signs that let me know it’s a scam.

1. Strange Email: If Global Who’s Who is a “premiere networking organization for distinguished professionals,” then why is it coming from a domain that sounds like a sales organization? Incidentally, I got another email with the exact same text, except the email domain had the word surveillance in it. This is a major red flag, and an instant indication that it’s a scam.
2. Nonstandard Characters: If you look throughout the email, the lowercase letters b, h, and i are from a different character set (the lowercase w is also a little wonky, I think). I recognize the b as part of the Russian Cyrillic alphabet. Not sure what the others are. If this was a legitimate email, it wouldn’t have random foreign characters.
3. Overly General Terms: Oh, they want me to represent my “professional community,” but they don’t list what that community is. If I was getting a real honor like this, they’d probably know what my professional community is. Especially considering the “Director” was so overwhelmed by my credentials.
4. Leftover content from previous years’ scams: It says 2013 edition. But it’s now 2014, and if this was real, such a prestigious organization would probably already be working on their 2015 edition. The scammers just haven’t yet noticed that their script is out of date.
5. Deadline to Click a Link: They need an excuse for you to click a link. This motivation often comes in the form of having to verify information. And they’re trying to justify this request by saying they used secondary information. Yeah, the “premiere networking organization” is determining who gets to appear in this prestigious document by using secondary information. And they manufacture urgency by coming up with a deadline, hoping you’ll be so compelled to take advantage of this offer before time runs out that you forget all the other warning signs throughout the email.
6. The Link: There’s always a link. That’s how they get you to visit the malicious site and download malware. Notice there is no mailing address or phone number anywhere else in the email. This link is the only means they give you for contacting them. This is the kiss of death. Also, you can’t see it in this picture, but if you hover over this link, it shows that it points to a completely different domain (something about cell phone companies).
7. Anonymous Sender: If this was a legitimate email, the Editor in Chief would put his/her name on it, and would include a mailing address and phone number to reach them. Even the Director is anonymous. No names = Not to be trusted.
8. Another Link: They try to pass this off as an unsubscribe link. First of all, why would such a prestigious organization need an unsubscribe link? Second, if you were to hover over this link, it goes to the EXACT SAME web site as the main link. This gives you two different links, for two different actions, that have the same result: you getting malware. And as an extra word of caution: Never click an unsubscribe link in any email unless you know it’s from a reputable source. If it’s from some sketchy site, it will either give you malware or at the least, let them know that there is a human at the other end of your email address.