The term phishing is a variation of the word fishing (it’s something called a homophone: sounds the same, spelled differently). But in this version of fishing, we’re the fish and the bad guys are the fishermen. This week’s blog is about how to know when not to take the bait.
Phishing is about someone trying to get at your personal or valuable information. Typically stuff like your credit card number or login information to one of your online accounts.
Phishing usually starts with an email. It can (appear to) be from your bank, from Apple, from some social media site where you have an account, etc. In this email you are told that it’s important that you click a link to log in to the site or enter some other valuable information.
It’s entirely possible, even probable, that the site you visit by clicking this link will look completely legit. But if it’s phishing, then it won’t actually be real. And any information you enter while visiting the site (or any information you send in a reply to the email) will go straight to the bad guys.
“Do it now or your world might end!”
These kinds of emails often include some reason for you to believe that it’s important, even urgent, that you log in right away. It could be that you’re told you need a critical security patch. Or that some-or-other account information is outdated.
A sneakier version of inducing a gottaloginrightaway! feeling is sending a receipt for some large purchase you never actually made. The email with the receipt will then come with a link to log in, in case you want to check the payment details. (“Thank you for your monthly pledge of USD 1000,00 to the Build the Wall Foundation. If you want to manage your donations, click this link.”) (“Don’t worry – it’s totally legit; we’ve got the best links.”)
If you get an email that tries to create a sense of urgency to log in or enter your credit card information somewhere, the first and by far most important step is: don’t panic. (Or, as Frankie would have put it: relax, don’t do it.) This could be a phishing attempt, and there are a number of things you should do before you believe a single word of it.
“Phishing License” by xkcd.com
How can you spot a phishing attempt?
Here are at least some things worth doing. (If I had a lawyer, I’m sure they would tell me to include something here about this not being a complete list, but a good start.)
1) Check the spelling and wording
If the email has a generic opening, like “dear customer,” then be weary. If you actually had an account with them, they could start with something more personal, like your username or real name. Bad grammar should also get your warning bells ringing.
2) Check what the email wants you to do
If you are asked to send personal or valuable information by email then you can chuck the email in the trash. Never send account information, credit card information, etc. via email.
If there’s a link to click on to log in somewhere, then you need to look at a few other things before clicking on it. (And even if you think the email is legit, there’s still a better way to go than clicking on the link, but we’ll get to that in a bit.)
3) If there’s a link, see where it goes (without clicking on it)
It’s a good idea to always check where a link will take you. Even a link that looks like it goes straight to some website can take you somewhere completely different. It’s the author who decides where a link leads, regardless of what the link says.
You can usually check where a link leads just by hovering over it with your mouse. (If you don’t get a pop-up window with that information, check the bottom left of your browser window.) Here are a few links to try it out on – one does what it says on the tin, the other doesn’t.
Yes: www.hbl.fi
No: www.hbl.fi
(There are more advanced ways of checking links, but do at least this much.)
Another important thing is to know a bit about how web addresses work. Whatever comes at the end (right before the .com, .net, etc.) is the site you will be visiting. If the link you see says it will take you to www.yourbank.linus-is-conning-you.com, then you will not go your bank, but rather to a page belonging to the site linus-is-conning-you.com.
Another important thing is to read the link’s address carefully. One thing the bad guys get up to is that they create pages that not only look identical to real sites, but that also have very similar addresses. For instance, the addresses www.thisisyourbank.com and www.this1syourbank.com may look identical if you just glance over them. But one of them leads to your money, the other leads to losing your money.
4) Check the sender’s email information
If the information in the sender’s email is different from the company or service they say the email is from, chuck it in the trash. So, if you get an email from linus@someemailservice.com saying the email is from your bank, chuck it. But that information can be altered (something called e-mail spoofing), so even though it looks legit you still can’t be sure.
If things still look OK and you want to visit the site in question, there is a better and a worse way to go about it.
5-) Click on the link – and then check the address again
If you visit the site through clicking on the link then it’s incredibly important that you check the address bar in your browser. Do the same thing you did in step 3 above: make sure the address is what it is supposed to be. Make sure it’s www.yourbank.com, not www.y0urbank.com (the “o” there is a zero), or www.yourbank.something.com, or something even stranger.
Important: do not trust the site just because it looks legit. The address bar is often the only way to tell the difference between a phishing site and the real deal.
5+) Don’t use the link to get there – type in the (real) address yourself
A safer way to get to any site than by clicking email links is to type in the address yourself. Say you got an email about a data breach, saying that you need to change your password. Instead of going to the site using a link in the email, you can just type in the address for the site yourself. And then, in this example, navigate to the “change passwords” section of the site. That way you can avoid any risk of falling for phishing. The worst that will happen, if it is phishing, is that you have changed your password unnecessarily. (And if you end up having trouble coming up with your new, unnecessary password, I’ve written about passwords in an earlier blog.)
You don’t have to go home but you can’t stay here
That’s all (for this time), folks. Find your way here because you’re actually interested in phishing? Then why not head over to Wikipedia’s page on phishing to learn some more! Find your way here in a desperate attempt to avoid doing whatever it is you’re actually supposed to be doing? Then why not head over to xkcd.com to continue procrastinating there!
PS. Whichever link you chose, remember to check it out before clicking on it. (There aren’t any surprises in the links – it’s just a good habit to get into.)