Because holiday expectations weren’t high enough for parents masquerading as the Easter Bunny or Elf on the Shelf, the latest craze is now centered around St. Patrick’s Day, giving parents the new role of leprechaun. Setting leprechaun traps the night before St. Patty’s has emerged as the newest trend for kids hoping to discover where the mighty leprechaun has hidden his pot of gold – or at least hoping to snag some chocolate coins.
But there is another trap you should be wary of, and that’s the one hackers are setting for you right now. A phishing trap.
First of all, let’s clear up what phishing is for those of you who aren’t sure. Phishing is a psychological attack used by cyber criminals in order to trick you into giving up personal information or taking action. Phishing has developed over time. The term initially described email attacks that would steal your username/password information. Phishing now refers to any message-based attack, whether that be email, IM, or on a social media network.
How it Works
A cyber attacker will send you a message that appears to be from a reliable source, prompting you to open it. There will then be some sort of call to action whether it is a link, an infected attachment or responding to SPAM. Once you take the bait, they will be able to access your information, putting you - and potentially your firm - at high risk.
Phishing vs. Spear Phishing
In traditional phishing, cyber criminals send out messages to millions of users trying to infect as many users as possible. Spear phishing, however, is very targeted. Attackers will do extensive research on all of your profiles and accounts, as well as anything that is posted on a public form or blog. They will then send you a customized message that will most likely lure the desired target (read: you).
Signs to Look Out For
Check the sender email address for all emails you receive. If the email appears to be from a legitimate organization but the address is a personal account (Gmail, MSN, Hotmail, Yahoo) it is probably an attack. Oftentimes the email domain will be missing a letter or have letters reversed, so you'll have to pay close attention. It is important to also be cognizant of the “to” and “cc” fields to ensure that there are no suspicious third parties.
Is it personalized? If a secure organization is attempting to contact you they should already have your name and information. Be wary of generic greetings.
Improper spelling and grammar can be giveaways as well.
An overwhelming sense of urgency that requires you to share personal information.
Links! Only click on those that you are expecting. Also, hover your mouse over the link before you proceed to make sure that it is taking you where it claims to.
Same goes for attachments; don’t open anything you aren’t expecting.
Is it too good to be true? Probably.
Suspicious emails from trusted sources can happen. If your friend or colleague sends you a strange message, their account may have been attacked. If you are questioning it, give them a call first to confirm legitimacy.
Editors' Note: This article has been updated and was originally published in January 2014 by Emma Howie (Eze Castle Integration).
Source: SANS Institute