Sad true story: Recently a family member's small business was breached by ransomware. This horrific code encrypted nearly every single data file -- Word documents, Excel spreadsheets, etc. -- and literally held them for ransom. If this business wanted its data back, the price would be $700.
Phishing strikes again. According to a security pro, the ransomware got in when one of the owners opened an email attachment marked "My resume" -- a seemingly harmless action, especially given that the company was, in fact, actively hiring.
Ransomware is among the most heinous of phishing-related crimes. Others include identity theft and even locking you out of your smartphone. But, wait, isn't security software supposed to protect you from such threats? It is, but that's what makes phishing so devious: It arrives as seemingly harmless-looking email and cajoles or frightens you into action -- usually clicking a link or opening a file. And often that's all it takes.
While many users are well-acquainted with this practice and know what to look for, I suspect there are plenty of folks who still fall victim. Heck, I consider myself an expert at phishing avoidance, yet I've had occasional momentary lapses that almost got me to click a fraudulent link.
Therefore, allow me to share an actual email I received recently and some telltale signs of phishing fakery:
- Like many users, I have several email addresses. But this message came to an address that isn't linked to my PayPal account. What's more, the "To" field is blank, an obvious sign it didn't actually come from PayPal.
- Bad grammar and spelling are telltale signs of phishing. Big companies hire professional copywriters (and editors) even for things as basic as email communication.
- My name is missing. The salutation merely reads, "Hello, [blank]." I'm pretty sure PayPal would communicate with me by name.
- Another strong clue this is a fake: I didn't just sign up for PayPal. Now, you might think, "Oh, no, somebody created a PayPal account in my name!" Again, this is a scare tactic (and a weak one at that) designed to get you to click the inviting blue button. Were you to do so, you'd probably be directed to a site that looks fairly PayPal-like, with a form requesting all kinds of personal info -- including a credit card number. Alternately, you could land at a site that stealth-installs a bunch of spyware and/or viruses.
This was some sloppy phishing. But there are much craftier ones out there, like "your account has been compromised!" emails that look indistinguishable from the real thing.
Fortunately, it's fairly easy to protect yourself against come-ons like these:
Always be suspicious. Phishing emails try to freak you out with warnings of stolen information (or worse), and then offer an easy fix if you just "click here." (The flipside: "You've won a prize! Click here to claim it!") When in doubt, don't click. Instead, open your browser, go the the company's website, then sign in normally to see if there are any signs of strange activity. If you're concerned, change your password.
Check for bad spelling and grammar. Most of the missives that come from outside the US are riddled with spelling mistakes and bad grammar. As I noted earlier, big companies hire professionals to make sure their emails contain perfect prose. If you're looking at one that doesn't, it's almost certainly a fake.
Beef up your browser. An accidental click of a phishing link doesn't have to spell disaster. McAfee SiteAdvisor and Web of Trust are free browser add-ons that will warn you if the site you're about to visit is suspected of malicious activity. They're like traffic cops that stop you before you turn down a dangerous street.
Use your smartphone. If you're checking email on your smartphone, it might actually be harder to spot a phishing attempt. You can't "mouse over" a questionable link, and the smaller screen makes you less likely to spot obvious gaffes. Although many smartphone browsers (and operating systems) are immune from harmful sites and downloads, it's still good to exercise caution when dealing with suspicious links. (Obviously you still shouldn't complete a form that asks for your password or other personal info.) Android users in particular should be aware of the potential risks.
Most of all, rely on common sense. You can't win a contest you didn't enter. Your bank won't contact you using an email address you never registered. Microsoft did not "remotely detect a virus on your PC." Know the warning signs, think before you click, and never, ever give out your password or financial info unless you're properly signed into your account.
Got any other anti-phishing tips to share? Load 'em up in the comments.