Phishing

The weakest link in every company are the people. Phishing is when a hacker attempts to obtain personal information by exploiting this weakness. The hacker’s objective is to appear as legitimate as possible to get people to divulge any information. This can be thru sending an email, a fake web site, text messages, or phone calls. No matter which method is used, the objective is the same: obtain sensitive data.

There are a few things to remember on every email you receive. First, don’t click that link. Mouse over the link and read the URL that it shows at the bottom of your browser window. Never click a link in an email from a financial institution. When you set up your online banking, create a bookmark in your web browser and use it to go to the login page. If you need to open a link you are emailed, right click the link and “Copy Link Address” and paste it in your web browser address bar, then read it. Confirm everything in it is spelled correctly and it is a web site you want to visit before you click GO.

“Congratulation! You won’t the Microsoft lottery that will be paid in Kenyan Shillings! Click here to claim your fortune.” While this example is pretty extreme and obviously fake, hackers are getting better at tricking people. While most people wouldn’t click that, they might click the links from www.readersdigest.co. Did you really enter that sweepstakes?

Similar to “phishing” is “vishing”. This is a voice method of scamming where fear and urgency are used to trick you into divulging private information. While their story will change periodically, their objective is always the same: get information. “Ted” from “Tech Support” will not call and ask for your password to “update your profile”. You will never have to pay a “processing fee” in order to claim a prize. “Windows Technical Support” will not call you because of software they detected on your computer. The IRS does not issue arrest warrants. If you get one of these phone calls, just hang up.

Check for a secure connection to the web site. Make sure the URL begins with HTTPS before you enter any of your personal information. Don’t enter your personal information on every web site that offer a coupon or discount. Treat every web site like that suspicious looking van driving slowly down the street. Would you tell him your financial details?

Hackers are very craft in tricking you into opening attachments. Do not open email attachments that you were not expecting. If you receive an email from bill.gates@chase.com with an attachment of PAYMENTS.XLS, don’t open it. But what if you were expecting an email with an attachment? So, you open the RESUME.DOC file from an applicant and LibreOffice warns you that the file contains macros. Do you enable them? No. In fact, emailing the company executives is a common way to turn “Spear-Phishing” into “Whaling”.

Frequent training is the key to success. Many companies provide training programs to prevent the success of phishers. Some companies include assessment tools to test everyone at the office. If the HR or Legal department wince, just tell them “Eventually, everyone will get spam and a phishing email. Do you want it to come from us or the hackers?”