This morning my bleary eyes focused on the top email in my inbox with the subject; “Immediate Action: Your Mailbox Size Notification.”

The email was simple and to the point.

“Your email account has used 23.7 GB (95%) of 25 GB.

Spear-PhishingYou will be unable to send and receive messages if you do not reset your account storage space to a higher limit.

Click the link to reset and validate your account.

http://oregonstate.edu/amiladministrator

Sincerely, OSU Mail Desk Administrator

This is a phishing attack and if I took the bait by clicking on the link, I could compromise my identity, my money and my data.

Phishing is the use of fraudulent messages disguised as coming from legitimate entities to acquire privileged information.

Phishing exploits trust, worry, and desire to trick people into giving up their up their sensitive credentials such as passwords and credit accounts.

A grim finding from an Intel Security survey shows that 97% of people globally are unable to identify phishing emails. Now that is scary.

The most powerful tool for computer hacking is social engineering which is the larger category of human manipulation into which phishing falls and there are numerous sub-categories of phishing.4894714911_42f0f50f72

Spear Phishing is targeted at specific individuals or groups and may contain familiar graphics and Web addresses to trick you.

Whaling is like spear phishing but aims at very large fish, such as a university president or corporate vice president.

Clone Phishing reuses a legitimate email and modifies it to contain the malicious url.

False Friend is email from someone that you know whose contacts have been hacked or spoofed and used to generate phishy emails.

Tab Nabbing exploits Web browser tabs to open a tab to a fake page.

Evil Twins are bogus wireless networks that mimic public networks in airports, libraries, coffee shop, and hotels in order to harvest credit cards and other personal information.

Phishing and social engineering are confidence games or confidence tricks and c7bc35f579799a5973f2b66937bcd3afcan also occur in text messages, phone calls, Web pages, social media posts, Skype calls and snail mailConfidence games are very old; read the Iliad for some prototypical instances.

Given that phishing is based in deception and some of the fakes are very convincing, how may time-stressed individuals such as yourself protect against the ruses? The solution comes in two parts: know what to look for and alter your online habits accordingly.

In his book The PrinceThe Prince Machiavelli gave advice that rings true when protecting oneself against phishing; be like the fox and the lion, the fox to discover the traps, the lion to frighten the wolves – be both smart and strong.

Here are some clues to watch for in order to detect predatory messages.

Asks for too much: computer system administrators never require your username, password, credit card or social security number. Even if sensitive information is needed online or by voice you are better off taking an alternate path to double-check the source.

Mismatched links: Don’t click on email links, but do examine them by mousing-over and you will see that phishing emails include linked text that is different from the Web address linked to.

You did not ask for it: a warning, threat or offer comes to you without you having initiated the contact – beware.

Threats and promises: fear, greed and pride are the nuts and bolts of confidence games and when you detect those elements in a message your phishy antennae should perk right up.

Poorly constructed: some phishing messages are expert but most are barely literate and would end up in the reject folder at crappypasta.com. You should know enough to reject them as well. This is one reason why advanced literacy is a practical part of your education.

“97% of people globally are unable to identify phishing emails.”

Cultivate smart habits to protect yourself against predatory messages (see my earlier columns for techniques of habit change) including the following practices.

Slow Down: most phishing threats can be disarmed by separating action from feeling. Phishers rely upon the impulsive actions of their victims and so when an email or related message gives you feelings of urgency, take that as a sign that you need to step away from the mouse and give clarity time to emerge.  Much of what feels like an emergency in life – for instance a midterm – is not as big as it seems.

Analyze before evaluating: Judging something as bad, dangerous, desirable or important are evaluations that will benefit from analysis. Learning to discern the relevant facts of situation before evaluating those facts is a fundamental critical thinking skill that will save you from confidence games. It is like looking both ways (analysis) before crossing the street (judgment).

Research the claims: What is the message seeking from you? What does it claim to be? What evidence do you have for these claims? A great way to check any message for phishing is to copy the message text and paste it into a Google search. It took me less than ten seconds to do so with the email that I receive this morning (see above) and my search returned hundreds of posts identifying the fraud. This method directs analysis to a safe and useful action.

Never link from an email: Once when I was little I put my finger in a stapler just to see what would happen. Once I clicked on a link in an email just to see what would happen. I have not done either of those things ever again.

Never reply with personal information: Todd Davis is CEO of Lifelock, a personal identity protection company. To promote his product Davis give out his social security number on television and the Web claiming that Lifelock will prevent identity theft. Within months his identity was compromised 13 times including fraudulent loans, credit cards, and gift basket purchases. Don’t be like Davis and do not give out your social security number, passwords, credit card information, and other personal information unless you are very sure about whom you are giving it to.

Be network selective: be very careful about using personal information on public networks such as coffee shops and airports because you may expose it to an evil twin or wifi sniffer.

Do not reply at all to suspects: do not reply to phishing or spam messages because even selecting the unsubscribe link will verify your email address and invite more malicious attacks.

Use your junk mail, spam filters and security programs: get familiar with7557181168_91f4af2d99_b your self-defense tools and use them effectively. Look into Google Safe Browsing for Chrome and Firefox. The OSU Computer Walk-Up Help Desk in the Valley Library and the OSU Computer Help Desk at 541-737-3474 will help you become an internet ninja.

Report phishing: the OSU Helpdesk has a feedback form by which you may report phishing messages. See jondorbolo.com for resource links. Reporting helps the community address phishing and makes you more aware because you become an active participant.

Stay informed: security specialists like McAfee Labs, Symantec and Norton are reliable sources for phishing threats and defensive strategies. Being aware of the threat environment and current protective measures is a source of personal power. OSU Computer Helpdesk has extensive online resources on Phishing including effective breakdowns of actual examples plus no-cost security software and help in using it.

Don’t be paranoid: be smart and safe but please do not let this information make you more fearful or cynical. With reason, knowledge and habit adjustment you can be cyber-secure. The key to a better life is learning to see a better world.

For more depth on phishing and other malicious hacking phenomena consider two sources which I drew from for this column.

Phishing Dark Waters, Christopher Hadnagy (2015, Wiley).

The Art of Deception, Kevin Mitnick (2007, Wiley).

Please send your experiences with phishing to me at drtech@oregonstate.edu.

Image Acknowledgements

Spear-Phishing.jpeg
https://blog.knowbe4.com/tech-firm-ubiquity-suffers-46m-cyberheist

4894714911_42f0f50f72.jpeg
https://www.flickr.com/photos/35484468@N07/4894714911

c7bc35f579799a5973f2b66937bcd3af.jpeg
http://www.amazon.com/The-Prince-Dover-Thrift-Editions/dp/0486272745

7557181168_91f4af2d99_b.jpeg
https://www.flickr.com/photos/61423903@N06/7557181168

Advertisements