Keep Yourself Safe From Phishing

Keep Yourself Safe From Phishing

There are various phishing techniques used by attackers:
·         Embedding a link in an email that redirects your employee to an unsecure website that requests sensitive information
·         Installing a Trojan via a malicious email attachment or ad which will allow the intruder to exploit loopholes and obtain sensitive information
·         Spoofing the sender address in an email to appear as a reputable source and request sensitive information
·         Attempting to obtain company information over the phone by impersonating a known company vendor or IT department

How to avoid getting caught in the phish net:
1. Sender details:
First thing to check: the sender’s email address.
Look at the email header. Does the sender’s email address match the name and the domain?
Spoofing the display name of an email, in order to appear to be from a brand, is one of the most basics phishing tactics.

2. Message content:
Clue number one:  They ask you to send them or verify personal information via email.
Or they are asking for information which the supposed sender should already have.

Clue number two:  They are likely to play on your emotions or urgency.
As a general rule, be suspicious of any mail that has urgent requests (e.g. “respond in two days otherwise you will lose this deal”), exciting or upsetting news, offers, gift deals or coupons (especially around major holidays or events, such as Black Friday or Christmas).

Clue number three:  They claim there was some sort of problem with your recent purchase or delivery and ask you to resend personal information or just click on a link to resolve it.
Banks or legitimate e-Commerce representatives will never ask you to do that, as it’s not a secure method to transmit such information.

Clue number four:  They claim to be from a law enforcement agency.
They never use email as a form of contact.

Clue number five:  They ask you to call a number and give your personal details over the phone.
If this is the case, search for the official correspondence from the company and use the phone number provided them to verify if this is true.

3. Message form:

First rule: Beware of bogus or misleading links.
Hover your mouse over the links in the email message in order to check them BEFORE clicking on them.

The URLs may look valid at a first glance, but use a variation in spelling or a different domain (.net instead of .com, for example). Thanks to the new generic topic-level domains that were introduced in 2014, spammers and phishers gained new tools for their campaigns.
Other phishing scams use JavaScript to place a picture of a legit URL over a browser’s address bar. The URL revealed when hovering with your mouse over a link can also be changed using Java.

Second rule: Look out for IP addresses links or URL shorteners.
They can take a long URL, shorten it using services such as bit.ly, and redirect it to the intended destination. It’s hard to find out what’s on the other end of that link, so you might be falling into a trap. Better be safe than sorry.

It’s not unusual for the domain to be deliberately distorted in the email, by adding extra spaces or characters, together with instructions on how to use it (“Remove all the extra characters / spaces and copy to the address bar”).

Third rule: Beware of typos or spelling mistakes.
This used to be the norm, but it’s no longer an imperative.

Fourth rule: Beware of amateurish looking designs.
This means: images that don’t match the background or look formatted to fit the style of the email. Stock photos. Photos or logos uploaded at low resolution or bad quality.

Fifth rule: Beware of missing signatures.
Lack of details about the sender or how to contact the company points into phishing direction. A legitimate company will always provide such information.

4. Attachments

Look out for attachments.
They can attach other types of files, such as PDF or DOC, that contain links. Or they can hide malware. Other times, they can cause your browser to crash while installing malware.

5. External links and websites

Let’s assume that you already clicked on a link from a suspicious email.
Is the domain correct? Don’t forget that the link may look identical, but use a variation in spelling or domain.

Before submitting any information on that website, make sure that you are on a secure website connection. You can easily check that by looking at the link: does it start with “https” or “http”? The extra “s” will mean that the website has SSL. SSL is short for Secure Sockets Layer and is a method to ensure that the data sent and received is encrypted. Legit and safe websites will have a valid SSL certificate installed.

Another way to check that is to look on the left of the web address: is there an icon of a closed padlock? Or is the address highlighted in green? This will indicate that you are visiting an encrypted site and the transferred data is safe.

Helpful Tools

Use browsers that offer built-in phishing protection.

In general, there are two ways to detect phishing websites: heuristics and blacklists.
A heuristic method analyzes patterns in URL, words in web pages and servers in order to classify the site and warn the user.

Google and Microsoft operate blacklists. Google integrated them with Firefox and Chrome, so a warning message will appear before entering a phishing website. Microsoft is integrated with Internet Explorer and Edge.

Basic online security:

Be aware that cyber attackers are one step ahead of the defenders. That means that you cannot always be 100% protected against them, not even with all the email filtering systems or anti-virus software.

Of course, this doesn’t mean that you want to make their jobs easier, so make sure you keep your computer updated at all times.

Keep your software updated as well. If you use a free tool that offers automatic and silent software updates, you can eliminate up to 85% of security holes in your system.
Install a reliable antivirus. It should include real-time scanning and automatic update of virus database.

Choose an antivirus that scores high on phishing protection tests.

You should also create a separate email account that you only use to subscribe to newsletters, forums, online retailers, social media accounts or other public Internet services. Keep your personal email account as private as possible. This will help reduce the amount of spam and phishing attempts you receive.

Also, beware not to click on the Unsubscribe button or follow instructions for unsubscribing for unsolicited spam. Many spammers and phishers use these in order to find out if your email is valid.

If you are still unsure whether or not it is phishing:

Try to always directly type the web address of the site you want to access in your browser, instead of clicking on links from emails or social media networks.

Directly contact the company or organization from which the message appears to be sent. Grab the phone or forward them the phishy email. Search for prior communications with them, such as post mail, and use the contact information provided there. Don’t use the contact information provided in the email.

What to do if you think you were phished:

If you have a hunch that something is wrong, immediately contact your bank or credit card institution.
Change the passwords used for those accounts and then also change the passwords used for the emails linked to them.

Where to report phishing attacks:

Forward the message to the last known good address of the sender.

There are several places where you can submit phishing attacks or websites:
If it appears to be from IRS, you can forward it to phishing@irs.gov
Or to the Federal Trade Commission at spam@uce.gov
At US Cert: phishing-report@us-cert.gov
At The Anti-Phishing Working Group: reportphishing@apwg.org

On PhishKillers blacklist: http://www.phishkiller.com/en/

If you are using Gmail, in the drop down menu at every email there is a Report Phishing button.

Report junk email and phishing scams in Outlook on the web
To submit a junk mail message to Microsoft:

1.      Click on the junk message and then click Junk on the toolbar. This moves the message to your Junk email folder and adds the sender to your blocked sender list.
Note:Alternatively, right-click a message to display a menu, and click Mark as junk.
You can report a junk message from your Inbox, Clutter, or Deleted Items folder.

2.      A dialog box opens asking if you want to send a copy of the junk email message to Microsoft for analysis. Click report to send the message to the Microsoft Spam Analysis Team. Optionally, select the Don’t show me this message again check box if you want to automatically submit future junk messages to Microsoft without being prompted.

Tip:
Even if you select the Don’t show me this message again check box, you can later change your preferences for reporting junk email by accessing the display settings in Outlook on the web. (You can access these settings through the gear menu next to your sign in name.)

To submit a phishing scam message to Microsoft:

1.      Click on the phishing scam message, click the down arrow next to Junk, and then click Phishing on the toolbar. Office 365 does not block the sender because senders of phishing scam messages typically impersonate legitimate senders. If you prefer, add the sender to your blocked senders list by following the instructions in the topic Block or allow (junk email settings)

Note:Alternatively, right-click a message to display a menu, and click Mark as Phishing.
You can report a phishing scam message from your Inbox, Clutter, or Deleted Items folder.

Submit “not junk” messages in Outlook on the web
When a message is incorrectly identified as junk by Office 365, submit a message as “not junk” to Microsoft:

1.      In your Junk email folder, click on the message and then click Not Junk on the toolbar. This moves the message to your Inbox and adds the sender to your safe senders list.
Note: Note: You can also right-click on a message in your Junk mail folder to display a menu and click Mark as not junk.

2.      A dialog box opens asking if you want to send a copy of the not junk email message to Microsoft for analysis. Click report to send the message to the Microsoft Spam Analysis Team.