Introduction
This post describes a super easy way to avoid falling prey
to phishing and spear-phishing. While
I’m at it I’ll explain about ransomware and botnets so you can sound impressive
during fishing trips and/or ladies’ luncheons. I’ll even provide a real-life example of a
recent situation requiring me to apply my method.
Couple quick notes:
1) You cannot get a virus by reading this blog or clicking on any link
within it, ever; and 2) I actually did my homework on this post, and ran my
anti-phishing technique past the Chief Information Security Officer of a giant
corporation, who gave it her blessing.
Some terminology
In a previous post, I covered plain old spam, which is simply unsolicited e-mail that doesn’t
even pretend to be personal. For
example, the subject line is “Enhance your male member!” The sender hasn’t targeted you based on
knowing anything about your, uh, membership … from the sender’s perspective, every man should enhance his mail member! (And if a woman receives this message, no
harm done—she can just forward it to the man in her life.) Spam is basically electronic junk mail.
Phishing is an attack on your computer which relies on you clicking
on an embedded link or opening an attachment, which either loads a virus directly
on your computer or takes you to a bogus website that attempts to lure you into
disclosing personal information. Phishing
messages are usually blasted out like spam, though the sender will often
pretend to be a company you do business with, such as your bank. There’s usually a sense of urgency, something
like “Account locked – update password!” (i.e., “Tell us your old password,
sucker!”).
Spear-phishing is more targeted and requires the sender to
find out stuff about you in advance (e.g., thru social media) to make the
e-mail look more realistic. Is it
important to differentiate between regular phishing and spear phishing? Probably not.
I think the latter term was contrived mainly to help security experts
sound cool.
Ransomware is a computer virus that encrypts your computer’s
entire hard drive, so that only the fraudster can decrypt it, which he or she
will only do upon being paid a ransom. (A
criminal with no hacking skills can actually buy “exploit kits” from the fraudsters
to carry out his own attacks.) Ransomware
is one of the biggest reasons to be careful with your e-mail.
You know how vampires and zombies can make you one of their
own by biting you? Similarly, computer
viruses can take over your computer and use it in a separate attack. Such an infected computer is called a bot,
and when hundreds or thousands of them are herded together to mount a
large-scale attack, you’ve got a botnet.
(Think of it as an online zombie apocalypse.) Note that as more devices—not just computers
and phones but thermostats, security cameras, DVRs, etc.—are connected to the
Internet, they become targets for botnet attacks as well. In fact, they’re ideal candidates because they’re
often cheaply made, poorly designed, and lack security. They’re like really dumb zombies.
How to survive
phishing attacks
My phishing survival technique employs a single simple
rule: if an e-mail appears to be from
any bank (even yours), or any other business with which you have an account
(e.g., a utility), automatically assume it is a phishing attempt and just delete the e-mail. You can apply this rule even before opening
the message. It’s that simple. The decision tree looks like this:
There is a very small risk, with such a broad rule, that
you’ll miss a legitimate e-mail from your bank, but a) it’s better to be safe,
and b) remember, your bank knows how to reach you! They have your money and are very resourceful
about getting their business done. In
general, they prefer to phone you or send postal mail because they hate
phishing as much as you do and have no interest in training you to fall prey.
The one blanket exception would be account statements. If you signed up for electronic statements
and receive them on a predictable schedule every month, and these statements provide
account information without asking you to do anything, you’re probably fine.
As for these “Oh, no, you need to do something!” messages, keep
in mind that if there’s really something wrong with your account—like your card
number has been compromised, for example—that’s ultimately the bank’s problem. They are on the hook for the cost of the
fraud, so let them do the heavy lifting.
If they can’t be bothered to pick up the phone or mail you a postcard,
they can face the consequences. (For
what it’s worth, my card number has been compromised a number of times, and in
no case did I get an e-mail.)
All of this being said, I recently decided to amend my very
simple rule. If you’re interested in my
amendment, read on. If you’re already
bored and/or have no problem with the simple rule outlined above, you’re
done—goodbye! Go get on with your life!
Sometimes it’s not quite
that simple
What if you made a purchase that falls well outside your
normal pattern of behavior? For example,
you just made a purchase for $2500, and the largest purchase you’ve ever made
previously with this card was $1000? Or
what if you normally shop at J. Crew and Brooks Brothers, and one day get a
ghetto impulse and buy something at J.C. Penney? If you do something outside of your norm and
then immediately receive an e-mail purporting to be from your bank, you might
consider evaluating it further.
I got an e-mail recently from slcfraud@aexp.com titled “Your Corporate
Card.” This “From” address and subject
line didn’t look obviously wrong. The
capitalization in the subject line, “Your Corporate Card,” was a bit odd, but
not obviously wrong (e.g., it wasn’t “Security fraud alerted corporate card!!”
or “Account info updating needs!” or some other butchered English). The return address, slcfraud@aexp.com, struck
me as feasible, though these things can be spoofed. Only because I half-expected Amex to choke on
a recent transaction, I decided to open the e-mail:
Note how it’s in plain text with no logos or anything. That might seem a bit odd, but actually it’s
completely okay. Fancy logos and
formatting are methods hackers use to make their e-mails look legit. Don’t be fooled! It’s far easier to manipulate graphics and
logos and such than to say the right things, in perfect English, in an
e-mail.
This brings us to my analysis of the grammar etc. in the
e-mail itself. There is a stray bracket
in the message (toward the end:
“Corporate Payment Services}”).
That’s a bit spotty, and such things should be considered
suspicious. There’s also a dangling
participle: “In order to assist you in a
timely manner, please call us at the numbers provided rather than responding to
this message.” (The first clause refers
to them—i.e., they would be assisting you—but the second clause refers to you; i.e.,
here’s what you should do.) Certainly
this is bad grammar, but it’s the kind of error a native speaker would
make—even an Amex employee. It’s not the
kind of error made by dastardly foreign hackers who hate America. Even still, as a general rule I would
normally delete this e-mail on the basis of this, or any, grammatical
error. If this makes extra work for your
bank, shame on them for filling corporate communications positions with people
who can’t write a decent sentence.
All of this aside, there was one fundamental characteristic
of this e-mail that caused me to take it seriously: it didn’t ask me to click on anything, and it
suggested I call the toll-free number on the back of my Amex card. That is exactly the kind of action a bank would
legitimately ask you to take, and dialing this number is an inarguably safe
thing to do. (I cannot imagine how a
hacker could print a fraudulent toll-free number on the back of my card. He would need physical access to my wallet,
in which case he would presumably have no need to do anything online.)
I did note that the number provided in the e-mail didn’t
match the number on my card, but it’s not uncommon for a financial entity to
have multiple toll-free numbers. You
should never dial a toll-free number provided in an e-mail. While that’s not as obviously dangerous as
clicking on a link in an e-mail, it could still get you in trouble. What if you reach a voice-response system
that sounds authentic, and asks you to enter your card number? That would be an easy way for a fraudster to hack
your account. Always go with the phone number
printed on your statement or card.
Based on the e-mail above I called Amex, and sure enough,
they had locked out my card because my last transaction looked suspicious to
them. During the call they authenticated
me based on my caller ID, and accurately described the suspicious
transaction. I told them it was legit,
they unfroze my account, and all is well.
So: does this mean
opening the e-mail was a good idea? No,
not really. If I had my life to live
over, I’d probably have deleted the e-mail and just called Amex. The slightly more complicated decision tree
is this:
How common is all
this, anyway?
Is this much ado about nothing? Actually, I think this stuff is important
because phishing is so rampant. Looking
in my junk mail (i.e., messages my ISP determined were fraudulent), I see the
following:
- 2 messages from Apple on 2/11 saying “Your account is locked”
- 3 messages from my regular bank between 2/3 and 2/9 saying “Action Required”
- 1 message from my Visa card issuer on 12/21 saying “Notification ID: 2591912…”
- 1 message from Apple on 11/07 saying “Apple Inc | Security notice”
- 1 message from PayPal on 10/27 saying “Your PayPal account ha…”
Address book phishing
I’m not aware that the phrase “address book phishing” has
any widespread meaning, but I’m talking about viruses etc. that replicate by
forwarding themselves to everybody in the victim’s e-mail address book. If your ISP lets these through, it can be
tricky spotting them. Here are a few
ways.
Message is unexpected – Often I’ll get an e-mail from
somebody I know, but who very seldom e-mails me. For example, my friend’s wife e-mails me every
so often and has done so for years. Why
would she? Either her PC’s got a virus,
or she’s trying to start an affair.
Either way, my reaction is the same:
delete that message! If she
really needs to contact me she’ll surely find another way.
Here’s a true story:
my wife e-mailed my brother several times to ask about some bike thing
she wanted to buy me for my birthday. My
brother didn’t respond, either because he suspected phishing, or was just
really behind on e-mail. So the next
time my brother called me on the phone, my wife intercepted the call and,
before fetching me, said to my brother in a low voice, “Call me!” He was totally
perplexed, and she eventually had to call him herself.
Subject line is missing or suspicious – Of the four
bogus messages I received recently purporting to be from friends, three have no
subject line at all and the fourth has the subject line “RE: ” with nothing
else. The lack of a subject line is usually
a giveaway unless you have really lazy friends.
Other suspicious subject lines would be the sender’s name, your name, or
something insanely generic like “Hello.”
(If I e-mail a friend just to say hi, I’ll say something a bit more
specific, perhaps involving an inside joke.)
Text of message doesn’t read right – Say you’re
fooled into opening such an e-mail and now have text to look at. The hardest thing for fraudsters to get right
is grammar (either because they’re foreigners or because they’re stupid). If your friends use terrible grammar and
spelling, I recommend you find some better friends. Otherwise, be very careful with messages that
don’t read right.
If, for whatever reason, you decide not to open an e-mail
that appears to be from a friend, it never hurts to create a new message,
address it to the friend, give it a subject like “Suspicious e-mail…” and ask
if he or she e-mailed you recently. You
can leave the original message in your Inbox while awaiting a response (unless
you’re afraid you’ll open it by accident, like if your software is set up to
automatically move from one message to the next).
So, here’s a more complete flowchart of how to handle
messages:
Will this approach
keep me safe?
Actually, avoiding phishing scams is not enough to keep you
safe. We’re probably all eventually doomed,
because data breaches of giant databases have become so common. For example, an insurance company I do
business with was hacked awhile back, and had over 70 million customer profiles compromised, including mine. So, if you screw up and disclose personal
information and/or help a virus to spread, you shouldn’t feel too bad.
Still, I guess it’s nice to have a methodology for not being
a complete sucker, and that’s what I’ve
endeavored to provide.
--~--~--~--~--~--~--~---~--
For a complete index of albertnet posts, click here.
No comments:
Post a Comment