Tuesday, October 30, 2012

Online Self-Defense - Part 4 of 3 - Don't Phall for Phishing!

   I said in part 1 that this would be a 3 part series, because everything comes in 3's.  Well... it's still Cyber Security Month and I would be remiss if I didn't write about phishing.  So we'll just call this part 4 of 3!  Here are parts 1, 2 and 3.

   As you probably know, phishing refers to an attempt to fraudulently get your personal information by masquerading as a trusted source. Examples include: a fake email that looks like it came from your bank; a fake fraud warning message that looks like it came from your credit card company, or; a distress message that looks like it came from a "friend" asking for money.

   In the past, phishing emails commonly had poor grammar or other obvious mistakes, but the phishers have become more polished.  It can be difficult to tell the difference between legitimate or fraudulent emails. Try one of these phishing quizzes.

   Remember that legitimate businesses will not ask for your personal information via email.  If an email asks for personal information, or threatens that an account might be closed if you don't confirm personal information, it is likely phishing.

   Phishing is not limited to email.  There is phone phishing, social network phishing and even postal mail phishing.

   Here are the top 3 easy tips to avoid phishing traps.

1. Look before you click - just like the first tip from last week's post, this first thing to do before clicking on a link, especially one in a suspect email, is to "mouse over" the link. That means you just move your mouse so it's on the link, but don't click yet!  Your browser will display the address to which the link will lead.  This displays at the bottom of the browser.  The actual link in the display should make sense and be the location you're expecting.  If not then... don't click!
2. When in doubt, check it out - if you do click on a link you were sent via email, social networking message or text, and it asks for personal information... don't provide it.  Instead, you should contact the organization via a known website or phone number.  For instance, you can look up the web address or phone number on a bill you receive or even use a search engine.

3. Don't call us, we'll call you - don't forget about phone calls.  If someone calls you and asks you to "verify" personal information, how do you know who is on that call?  The answer is that you don't.  Caller-ID is easily spoofed.  Even if they say it's your bank or credit card company calling to verify possible fraud on your account.  Hang up.  Then look on a bill or a credit/debit card, or look up the number and call that.  Worst case... it takes an extra 5 min. to resolve the issue.  Best case... you've avoided fraud and alerted the institution to the problem!

   As with the other posts in this series, if you can try the tips above, you will be much safer than the average web-surfer.  If you'd like to raise the bar further, here are some more tips to try.

4. Use protection - malware and system protection that is.  There are a variety free or reasonably priced anti-malware, firewall and filtering products available.  See part 1 of this series.  Also StaySafeOnline.org and OnguardOnline.gov have good sections on computer protection.

5. Don't enter personal information in a pop-up screen - sometimes a phishing link may direct you to an organization's legitimate website, but also pop a separate screen created by the scammer asking for personal information.  You can use pop-up blocking features of your browser or anti-malware software to help prevent this.

6. Use care with email attachments - are you expecting that email attachment?  Does the context make sense?  Scammers get people to install malware by using malicious attachments.  If you didn't expect it, don't open it.

And one more important tip:

Report it - if you think you gave out personal information, passwords or PINs to a scammer:

  • notify the relevant companies with which you have accounts,
  • consider putting a fraud alert on your file at the credit bureaus and,
  • contact the FTC

see information on how to do this at the FTC's website.

   And if you do recognize a phishing or scam attempt, you can contact the target company as well as reporting it at www.fraud.org.

   Have you had any encounters with a phishing attempt?  If so, what tipped you off to the scam?

No comments:

Post a Comment