Built For Designers & Developers

Security: Phishing and Scams

In this article we are going to be talking about two topics, phishing and scams.

Phishing

We will cover what it is, how it works, and what you can do to avoid it.

What

Phishing at its simplest nature is a scam site used to take something – normally passwords or credit card information – from an unknowing victim.

How

It works by using a fake version of a popular website (normally banks) and trying to fool people into entering their login credentials/personal information. Because the user sees what they are expecting, they login per-usual. What they don’t know is, when they entered their private information, it was sent to assailants so it could be used by them maliciously.

How to avoid it

The best thing you can do is not click any links sent to you in emails or personal messages. Links can be made to look legitimate while still sending you to malicious sites. If you get a notice from you bank that you need to check, type the address for your bank’s website directly. This will help prevent the possibility of the URL getting changed/faked.

Remember that people that are using phishing attacks are smart. They will do everything they can to try to get your personal information. Because of this, take everything you get via email with a grain of salt. Phishing attempts are almost always very good fakes (or even copies) of legitimate emails you would normally get. Here are a few things to keep in mind that may indicate a possible phishing attack when reading your emails.

• Good Fakes
  • They will use the verbiage, graphics, and layout of the company they are trying to fake.
• A sense of importance
  • A majority of the time, they will add a notice or warning that says unless you login and do BLANK, your account will be suspended, or you will be fined.
• A handy link
  • Assailants don’t want to make it hard for you to check the notice/warning that was sent to you, so they provide a nice, easy link for you to use to save you time.

Another giveaway is if they don’t use your name. For example, if they use “Deal valued customer”, that is almost always an indicator that it is fake.

You should also keep in mind that it is very easy to fake an email address so that it appears to be coming from a trusted source. Never trust an email because it came from [email protected] (where mybankexample.com would be replaced with the bank you use).

Remember; avoid clicking any links sent to you via email. If you need to check something, type the website address in yourself.

You should also be aware of the signs that may indicate that the site you are browsing is a fake.

• If your site has a secure https connection, make sure you look for it. Most phishing sites won’t have a https/ssl , however this is not always the case.
• If you use a password manager, and it does not auto fill the login credentials like it normally does, stop. Take a moment to re-type the address into the browser. While it may not be their intended purpose, password managers can sometimes be a good indicator if something is off. However, it is possible that the site design/code has changed, causing the password manager to not work correctly on that site anymore.
• Check the address bar! Assailants will sometimes use sub-domains to try to fake the first part of the URL. For example, https://examplebankfirst.com/ could look something like http://examplebankfirst.foo.com/. If you look quickly, it seems to match, however, if you take a moment to look at it, you can see it’s a sub-domain of foo.com. Also check the domain extension (.com, .org, .edu, etc). Depending on where you live, most sites will use .com or other popular top level domain extension. If you see an unusual extension (.au, .nz, .tk, .ae), it could be possible that it’s a site setup for phishing.  Please keep in mind that URL’s are not always a reliable method of checking to see if a site is a fake. There are ways of masking the URL to make it appear to be something it’s not. Because of this, make sure you check other signs.
  • Common Fake URL’s
    • http://exmaple.com/wp-contents/examplebankfirst
    • http://examplebankfirst.tk
    • http://examplebankfirst.example.com

If you are ever in doubt, stop. Spend an extra 5 seconds to re-type the address by hand.

Scams

We all get junk mail from time to time. Here are a few surefire ways to test if the email you received is a scam or not.

• Free Money
  • You just got an email regarding an inheritance that was given to you by a no-name stranger. This is a fake. In situations like this, if it was real, they would contact you in-person or via postal mail.
  • A person wants you to “hold-on” to a large amount of money for them while try do BLANK. Again, this is always a hoax used to get your account and routing numbers so that they can take your money, not give you it.
  • You won! Unfortunately, no we did not. The $200,000,000 jackpot that the email said we won is a total fake.
• Survey Requests
  • These can be harmless on the surface, however the fake ones will almost always ask for personal information to either “validate” your survey answer, or to check the “demographics” of the people that fill out the survey. Be safe; don’t fill out any survey requests sent to you by random people over email.
• IRS/Government
  • You failed to pay your taxes! No, I am sure your taxes are fine. However scammers will take the fear of fees and penalties to try to get you to fill out a form at a phishing site.
  • In most government situations, they will never send you emails regarding important, personal, notices. If you are ever in doubt, call them directly (Don’t use the number listed in the email – look it up yourself).
• Work-at-home
  • Congratulations! You were just offered a nice work-at-home job offer that pays 3x as much as you are making now. Unfortunately, this is almost a guaranteed scam.

This is just a small number of examples. In summary, just be mindful of what you read and keep the fact that scams are out there in the back of your mind.

This concludes this section of our security series.