Tuesday, July 2, 2013

Want someone's password? Just ask!

   SC Magazine recently put out an article entitled: More users than ever experiencing phishing attack attempts.  According to the article, phishing attacks are on the rise.

   Phishing is simply any kind of communication intending to extract (typically) personal information from someone.  The scam usually tries to either get the victim to visit a malicious website or directly provide their information, via a reply to the attacker or in an online form.

   Years ago, phishing emails were easy to spot.  They typically used obvious From: addresses, poor grammar and spelling, clearly misleading url's, and overall poor imitation of a legitimate organization's communication.

   But, as is often the case, the phishers have gotten better.  The emails look legit, the grammar and use of language is good, and the links often go to realistic-looking, but malicious, sites.  And email isn't the only delivery method.

   So, how do we avoid, and help others avoid, these attacks?

   Among the fastest growing phishing channels is social media.  People are more likely to click on a link when it is received from a "friend".  Of course, most people don't actually know all of their social network connections in person.  And social media accounts are compromised as often as email.
   This is further compounded by the need for link shorteners either because the service has a character limit, like Twitter, or just for the general brevity thing in Facebook and other sites.  I wrote about link shorteners and safety here.

   While those shortened links can be problematic in social network phishing messages, there's another wrinkle... SMS or text message phishing.  These are similar in nature to email phishing messages but are shorter and provide less context than email.

   Text/SMS messages are accessed from cell phones and social network messages are increasingly accessed from a smartphone.  Now we add small screen and smaller fonts to the already cryptic links.  People are often busy or distracted while viewing messages on their smartphones and perhaps more likely to inadvertently click.

   There is also phone phishing.  Attackers can call, saying that they are from your bank and need to verify your personal information.  Or they are from the "help desk" and need to verify your userid and password.  This is both an easy and, unfortunately, profitable attack.

   So what do we do?  The more things change the more they stay the same!  Here are two articles from 2005 and 2006 (the latter by TWIT news anchor Tom Merritt) and the advice pretty much holds up.

   But to keep things simple, and I'm all about simple!, here are my top 2 tips to avoid phishing attacks:
  1. Don't click! - just don't - type or copy/paste a known, good url - or start from a site's main page and work down to the page you need
  2. Don't give out personal information unless you initiated the conversation
   One good way to store urls for sites you need and increase the odds of getting to legit sites is to store these in your password vault!  I've written about the use of vaults here and here.

   So let's be careful out there.  And if we do get the Fishin' Blues let's keep it to the Taj Mahal variety!:

   What tips do you have to help people avoid phishing attacks?

No comments:

Post a Comment