A Healthy Level of Skepticism

Email phishing scams are on the rise in the first quarter of 2018. With the rise of cybercriminal attempts to hack systems or harvest data using phishing emails, we wanted to cover the most basic steps a company or individual should take to protect themselves against these sophisticated scams. According to Phishing.org,

“Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.”

The concept is very simple. A malicious individual sends an email to you that looks like it is from a trusted source. There is usually heightened language encouraging quick action. When you click on a link you are directed to a website or form that looks legitimate but is not associated with the company’s website that you think you are viewing. When you enter your username and password to login to a bank account, credit card, or billing system then the hackers harvest your credentials and use them to access your real account.

The criminals that use phishing emails are becoming ever-more sophisticated in their ability to mimic an institution’s emails or website. Often these websites and emails will have a legitimate logo and the URL will be similar or nearly identical to the actual website’s URL. If the hackers have gotten basic information, like your first and last name, from the institution then the email may be personalized. These hacks are especially effective when an institution is going through an advertised change (such as a merger or acquisition). If these emails and websites are so deceptive, how can you protect your data and credentials against them?

There are a few simple things that can be done with minimal effort and cost.

  1. Always be prudent and read emails with a healthy level of skepticism.
  2. When you get an email from a bank, credit card, vendor, or business associate that has urgent language, talks about “free” stuff, or requests verification of information, or has an attachment to download – STOP.
    1. Don’t click anything. Check to see if the links are valid. Outlook and web-based email clients can provide information about links within an email. Use your mouse to hover over the link without clicking on it and look in the bottom left corner of the screen. You should see the URL for that hyperlink. 
    2. An even safer approach is to close the email and go to a browser, type in the website URL as you know it, and then log in on that web page. If the urgent message was legitimate then you will be able to see that urgent message from within your login page. If it was a phishing email then you’ll see no issues to address.
    3. If you are still concerned about the message, then pick up the phone and call the sender. These conversations often go something like “Don’t click on the links we got hacked because we clicked on the link”. You’ll know to delete that emails.
    4. Report the emails to your IT staff so they can act to prevent future phishing scams from getting to your inbox.
  3. Never include your bank account number, routing number, social security number, credit card information, or other personal and sensitive information in an email. It is too easy to spoof an email address or intercept an email in transit to ensure that your data is secured in an email.
  4. Check websites for the lock icon next to the URL in the address bar. This means that the site has an SSL certificate that is signed.

Chrome:

Microsoft Edge:

Internet Explorer:

 

When you click on the lock icon you are able to see more information about the certificate and website (this is an example from Chrome).

 

When you click on “Certificate (Valid)” it will pull up a dialog box that has information about the website and certificate. Be sure that the “Issued to” matches the URL that you are on.

 

You are also able to look up more information on the “Issued by” source. This allows you to do a quick Google search to confirm that this issue is well known and legitimate.

 

Bad SSL certificate:

You will see this if the SSL is not valid or you’ve been directed to an https:// site that does not have an SSL certificate.

 

No Certificate:

This is what you will see if a site does not have an SSL certificate. Do not enter sensitive personal or financial information on these sites as the traffic is not encrypted.

 

By taking some very simple – and free – steps, you can better protect your business and personal information from phishing scams.