We write about an old subject, spoofing and phishing, because sadly, many, even sophisticated computer users, are conned into revealing private information or clicking on malware links. Learn to recognize and protect yourself from phishing attempts.
Recognize email spoofing and stop phishing
Email spoofing is the sending of email messages pretending to be from another individual or entity, usually for the purpose of phishing, that is, of tricking you into divulging private data or for the purpose of installing malware on your computer or mobile device. Such malicious email messages can take many forms:
One variant looks like an official email from a company with which you do business, including the branding, color scheme, logo, fonts, etc. and a “From” address that appears similar to that real company. The email may sound serious (e.g., “your account has been suspended”) and urge you to click a link that takes you to the criminal’s site (also branded to look like the real company site) where you are prodded to enter private information that can be exploited to your detriment, such as identity theft.
Phishing preys on fear, greed, or lack of knowledge on the part of email recipients and tricks them into divulging private data or clicking on a link that installs malware. Often the phishing email makes it sound like your account is suspended, that you have an unpaid bill, that a government check cannot be issued, etc. unless you click on their link and provide more information. The more alarmist it sounds, the more urgently they ask for you to respond, and the more dire the consequences they portray, then the more likely is the email phony. When in doubt, ignore the email and contact the entity by phone or via their web site contact page.
An instance of the above scenario is a link that takes you to a fake site that is branded to look like the real site and asks you to login. If you do login to the fake site, you will have now provided them with your login credentials that can be used to gain access to your account(s) or steal your identity.
Another variant is from an individual email pretending to be, someone you know. For example, the email says your “grandchild” was arrested overseas, and they provide instructions to wire funds for bail. It doesn’t matter that many recipients do not have a grandchild, because the criminal sends millions of these illegal emails, whereby even a tiny percentage of positive responses results in successful theft.
Yet another example actually captions the “From” field with someone you know (“spoofing” or forging the sender), though closer examination reveals someone else’s email address. I recently got an email whose “From” name was my spouse. The body said “Do you recognize this photo?” with a link that if clicked, most likely would have installed malicious code on my computer.
Other types of email spoofing and phishing email messages offer a reward, coupons, prize money, cures, free trials, etc.
There are analogous kinds of spoofing and phishing using fake Caller IDs by phone, text messages, social media messages, or phishing web sites that in addition to malicious links in spoofed emails can be found with search engines or encountered via common typographical errors in a URL.
Prevent email spoofing and stop phishing
There are many things you can and should do to avoid such malicious emails:
Be sure your anti-spam option is turned on in your email software; this will filter out some spoofed emails.
Be highly suspicious of any email that asks for personal data (name, user ID, credit card numbers, email, password, social security number, birth date, etc.). Even if the From address looks like it is from an acquaintance or a company with whom you do business, do not click on any link that asks you to “confirm” your account information or personal data. Rather, if you think it may be legitimate, go to the company’s website, and submit a “contact us” question there or phone them.
Look for bad grammar, wrong word usage, or spelling mistakes. Many of these messages emanate from non-English speakers.
Notice a generic greeting, such as “Dear customer,” is a potential indicator of a phishing attempt, as a real email from most companies would be personalized. Combining points 2, 3, and 4 into an example, a dead give-away is an email that starts with “Dear Customer, you’re account is frozen do to a security concern. Please click here to provide us your login credentials to prove your the writeful user.”
Think twice before you click on links or reply to suspicious email messages: a) Hover (do not click) over the caption (text) of a link and the intended link will momentarily appear in the lower left corner of most browsers. If the URL does not look legitimate, do not click through the link. As hypothetical examples, if the link goes to google.alert239.com “alert239” is the domain name, not “google”) or in the link security.arnazon.com (note the “rn” instead of “m”), amazon.com is not the domain. b) Do not reply to an email that sounds alarming or urgent even from what seemingly is a “From” email address that looks legitimate. As another hypothetical example, the From email address customer-service@appIe.com has an upper case “I” (eye) instead of a lower case “L”. Instead, call or write the real company about the alarming email using their web site contact page.
Do not open attachments unless you are confident about the sender and expected such an attachment
Schedule anti-virus/anti-malware software to run nightly; most malware that was installed would be detected and eliminated.
Consider Anti-phishing software Anti-phishing software is able to block many phishing attempts, sometimes as part of a broader online security package, and sometimes free. Check your anti-virus/anti-malware package to see what they do about phishing attacks. Below we list some sites that identify anti-phishing software, though we have not vetted the content: a) CNET’s Anti-phishing software list b) PhishProtection’s The best anti-phishing software free editions c) For companies seeking training or consulting on preventing phishing, here is a list by CSO of 10 companies that can help you fight phishing
Password manager: We have recommended the use of password managers (Why use a password manager) for a variety of reasons, not necessarily to fight phishing, but there is a scenario where a password manager will catch a phishing attempt. Suppose an email instructs you to click on a link to login, and you do so in error instead of going to the web site yourself. If your password manager does not pre-fill the user ID and password as it normally does for your listed sites, then most likely the link has taken you to an illegitimate URL and a fake company login screen.
Other computer or mobile device hygiene: Follow the recommendations elsewhere in this blog regarding general computer or phone hygiene. For example, employ password management best practices, and use two-factor authentication where offered.
Flag the email: Your email software and provider may offer a way to flag an email message as being a phishing attempt.
If it sounds “fishy” or too good to be true, then it probably is! Finally, trust your intuition. If an email from a firm with whom you have an account asks you to supply personal data that it should already have (such as your login credentials, social security number, credit card information, etc.) then it is probably a scam. If an offer for a fantastic deal sounds too good to be true, then it probably is. If you receive an email seemingly from someone you know that is out of character and asks you to click on a link, it may not be from the name labeled as the sender.
Remediate damage caused by email spoofing and phishing
If you fell victim to a spoofing and phishing attack, for example, having provided login credentials or personal information to a fake website, you should immediately take the same list of actions we recommended when you are a victim of a data breach. This includes changing your passwords, using a password manager, checking your bank and credit card statements, notifying credit reporting agencies, and putting a freeze on your credit reports.
Cybercriminals continue to have success with spoofing and phishing. Learn to recognize email spoofing and phishing attacks and take the preventive measures enumerated here.