Catching unsuspecting prey
The goal of the boat captain is to catch as many fish as possible using all of the tools available to him. Living in a fishing community, I’ve seen the evolution of fishing techniques and tools to help the captains locate and catch fish. In the old days, captains used landmarks and compasses to mark fish beds and locations. That evolved to LORAN and SONAR and now to GPS positioning. Better more sophisticated technology and techniques help fisherman to catch their unsuspecting prey.
Phishing, not fishing
Much like their aquatic counterparts, online hackers are using their own increasingly sophisticated Phishing (why Phishing? Because computer nerds like odd spellings and puns) attacks. These attacks come in via email to try to lure you into giving them your personal information. Basically, hackers know it takes a lot of time and effort to try to forcefully break in to your computer and online accounts. So instead, they try to trick you into giving them your personal stuff – much easier that way.
Here is an example of a fairly well-crafted Phishing attack I received. You’ll notice that it uses official Bank of America logos (loaded from Bank of America’s own Website) to make the email look even more legitimate. Also note the ‘helpful’ links to other Bank of America services; these all point back to Bank of America! This is another method of lulling you into felling safe.
Clues
One of the first things I noticed was the email address at the top was fake. Even though the first part says “Bank of America Corporation. All rights reserved.” notice the highlighted actual email address:
Clue #1 – not an actual Bank of America email.
I could have stopped there, but curiosity always kicks in and I wanted to see what the actual malicious Website was. By hovering my mouse over the ‘View And Invoice Details here’ (that is also a red flag – bad grammar and usage. Clue #2) I see that someone’s Website had been compromised and was the source of the attack: (Name obscured to prevent embarrassment).
Clue #3 – the link doesn’t have anything to do with Bank of America and it is a weirdly formatted link. Note all of the extra characters after the .com. That is very much out of the ordinary.
By now I knew beyond a shadow of a doubt that this was a Phishing attack. Bad grammar, incorrect email domain address, links to non-Bank of America sites – no doubt about it.
So what now?
At this point, even though I’m always curious what might happen, I always permanently delete the email (Shift + Del) so that there is no way I accidentally click on something and get myself in trouble. I highly recommend that you do too. People often ask me, “Should I alert my local Police department or FBI?” While that seems like a reasonable thing to do, unfortunately local law enforcement officers are not going to be able to do much, especially if you haven’t been defrauded. It is also something most of them are not familiar with and it is very much out of their training and comfort zone.
Even in cases where you have been compromised or given away bank information, the police are not in a position to assist, but your banking institution is. If you have given away the keys to your purse, your first call should be to your local bank. Tell them exactly what happened, the approximate time and amount. Ask them to cancel your credit card and issue a new one. Do not eve give out your bank account information unless you know for sure the Website is legitimate.
More things to avoid
Here are a couple more examples of “things you do not click.” The last one with he ‘ShareFile Attachment’ is a link to a ransomware site. If you really want to ruin your day (and ours too!) click on this type of link and watch all of your work, and the work of potentially others, go away. Someone we know posted a job opening and shortly after received a email with a resume attached. Knowing they were looking for someone, they opened it and boom – ransomware took over their PC and backup drive and encrypted all of their files. For them, there was no recovering them. An offsite backup recovered some of their files but not all.
Always be suspicious, even when it is something you are expecting. Hover over the links and do a quick sanity check. If the links don’t look right, do not click. Forward them to us or your current IT support group. It only takes a minute for us to check it out for you and not checking can cost you a lot.
