Thanksgiving weekend not only kicked off the holiday shopping season, but prime phishing season as well.
Phishing refers to those fake emails that land in your inbox. The ones that promise a great deal for a limited time only or say they’re having trouble delivering a package to you. What the scammers behind them are actually trying to do is steal your personal information or get you to click on a malicious link that downloads malware onto your computer.
Don’t fall for it, says Lt. Cmdr. Kenneth Miltenberger, who runs the Red & Blue Teams for Coast Guard Cyber Command. While the Coast Guard has filters that catch many phishing emails, personal computers typically aren’t as well protected.
Miltenberger and Chief Warrant Officer 3 Justus Marks, put together periodic internal educational phishing campaigns to test member response to fake emails. They offer these tips to protect yourself:
Trust no one
Amazon, DHL, Best Buy, UPS, Walmart - phishing scammers like to pretend they’re well-known companies that you trust. But even if you’ve recently done business with them, or the logo appears on the email, don’t click. “It’s always better to go to a site via a web search, as opposed to a link in an email,” Marks said. Or to log into your actual account. Many organizations, including Amazon, UPS, and the U.S. Postal Service, have set up customer help sites that will highlight current scams and show you what a legitimate email message should look like. Marks was recently sent a phishing email allegedly from AT&T from the email address Update@Account.att-mail.com. Fortunately, he thought to check the AT&T website and found the actual email should have been Update@emaildl.att-mail.com, so he knew not to click on it.
Learn to spot the indicators
Bad grammar or misspelled words used to be dead giveaways, but this is changing as phishing emails, and the technology behind them, get more sophisticated. Marks warns to be alert for:
- A display and email address that don’t add up. EXAMPLE: Display name is Amazon, but when you hover over the name, the email address is SupportTeam@AmazonSupport1234.com,
- An offer that has a time limit. For example, “Act now while offer lasts....”
- A subject line with broad or emotional appeal. In one internal educational phishing campaign Marks designed to test a Coast Guard unit, the email offered a free Netflix-style streaming service, another had a subject line that mentioned parking passes, something near and dear to most workers.
- Sometimes the address alone will be difficult to spot visually or the Link address makes no sense. Marks, for example, recently received a “Package tracking” email from A@ishara.neurison.com. “I definitely won’t be clicking that one,” he said.
Slow down
You may pride yourself on an empty inbox, but efficiency can often be your downfall. “People who are trying to crush through 200 emails during their 10-minute lunch break are more likely to click a link they shouldn’t,” said Miltenberger. How does he know this? In one internal phishing campaign that the Blue Team conducted at the Coast Guard last year, this turned out to be the primary reason so many people who should have known better opened the fake email. “It’s easy to mess up when you’re in a hurry,” he said.
Remember it’s not just email
Almost anything scammers can do on email, can be replicated on your mobile phone or voice mail. Beware of smishing, which is an attack carried out over text messaging. There is also vishing, where someone contacts you by phone and tries to elicit confidential data, get funds, or harm you in some way.
When in doubt, delete the message or hang up.
Protect vulnerable family members
Just because you are tech savvy, doesn’t mean everyone you know is. “Members of our teams have had older relatives phished and give details away because they don’t understand,” said Miltenberger. Talk to your relatives or young children and be sure they know the difference between what’s real and what’s a scam. As a rule, no company that has your email should need to ask for your credentials. Also, you should NEVER type credentials to ANY website that is using HTTP, Marks said. HTTPS only!