If Something Smells Phishy, It Probably Is

“Phishing” is defined by the United States Computer Emergency Readiness Team (US-CERT) as “… an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques.”  Much like “fishing”, “phishing” also involves setting the trap and waiting for their potential victim to take the bait.

Phishing comes in many forms. The most common type of phishing attempts are in the form of an email.  However, victims could also be the target of spoofed social media accounts, malicious websites, or unsolicited phone calls.

Emails will sometimes appear to have been sent from a friend, or acquaintance. In other instances, it may appear to be from your bank or a store where you shop. It could have a concerning subject line (e.g. "Deposit Returned" or "Purchase Complete"), indicating that something major has happened that needs your attention. The email may have either an attachment or a seemingly legitimate link in the body of the message.   Also, the message may address you by your email address, as "customer" or  “friend”, but often not by name.  Opening a malicious attachment may result in malware (malicious software) being installed on your PC.  Clicking on a link may take you to a malicious website,  often purporting to be a bank or store site. Often these sites will request your login or personal information, such as your Social Security Number or Bank Account Number.  Avoid clicking links or opening attachments you were not expecting, no matter “who” may have sent it.  Always check with the purported sender of unusual correspondence through other means (for example, a phone call to the friend or by separately visiting your bank's website to check your account activity).

Malicious websites often masquerade as the legitimate web presence of well-known and respected companies and groups. Through clever use of Search Engine Optimization and capitalizing on common spelling mistakes, these sites can end up at the top of a search engine's results. These often official-looking sites can be designed to convince the unwary user to send sensitive information, such as passwords, credit card numbers, or account numbers.  These sites may also spread malware to your PC to capture keystrokes or even provide the attacker remote access. 

Through social media, accounts can be “spoofed”.  Phishers can create accounts which appear to be people you know or with whom you are friends . These accounts can be set up to retrieve personal information from your social media account. They may also target you or people connected to you with pleas for assistance,indicating they are in trouble or in need of money or other assistance, victimizing multiple people with their fraudulent claims.  These accounts may have familiar names, places, and events at the ready in order to “prove” they are connected to you in some way.

Phishing by phone often utilizes social engineering tactics in order to prey on willingness to help, fear of consequences, or willingness to follow instruction from an authority. An attacker may claim to be from a government agency, such as the IRS or the FBI. They may claim to be from a reputable company, such as Microsoft, or from a bank or financial institution. They may claim to be warning you about your computer being infected, that your taxes are overdue, or that you are being taken to court. They will often try to pressure you into surrendering personal information or paying a "fine" or "fee" for some alleged problem or transgression. 

In all cases, never provide sensitive information via phone/email/website without verifying who has contacted you.  Avoid clicking on unexpected attachments/links, even if the sender “seems” legitimate.  Contact the  person/group/business and verify they had contacted you directly.  If a company has contacted you, they should have record.  If the contact had not been legitimate, provide as much information as you can to the party who had been spoofed so they may take action to prevent another person from being victimized.  Also consider reporting the incident to the Federal Trade Commission at: https://www.ftccomplaintassistant.gov

[Reference:  https://www.us-cert.gov/]