employee phishing
There has been a lot of local news and buzz lately about phishing activities and not the ones where you catch dinner! Emails, websites, and even telephone calls can be phishing expeditions by the less than trustworthy.  We’ve all heard of folks hit by identity theft.  And, yes, sometimes that comes from hackers and the unsavory entities stealing personal information from companies where we’ve provided our names, addresses, credit cards, and other personal information doing business with them.  Maybe the information wasn’t handled and protected properly and that’s why it got into the hands of the wrong people.  Maybe it was someone “on the inside” who took advantage of authorized access to do unauthorized things with the information.  Maybe it was someone who got phished!

So what is “phishing” and why do you care?

According to Wikipedia, “Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.  The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim.”

So, in plainer language, Phishing is giving you something you think you want or need (an email or website) to convince you to give the “phisher” your sensitive information.

Most people think, “I’d never fall for this type of trap!”  Think again!  It happens daily, to people from all walks of life.  How many times has someone called or emailed you asking you to click on a link to a website and fill out some forms or give them some information over the phone to verify or confirm an appointment or some similar request?  How do you know it was a legitimate representative of the company, organization, or agency you thought it was?  Now, the fraudsters are even getting slicker, just asking you a question on the telephone where you will answer, “Yes” and then they record your answer and associate it with a question or request for services you didn’t even agree to or know about.


So What Should You Do?

There are several “best” practices to follow:

  • If you don’t recognize who an email is from, DON’T OPEN IT!!  Opening an email can allow a virus to launch on your system.  Opening the email actually gives it permission to execute some payload or executable contained in the email.
  • DON’T OPEN the email!  Remember, DON’T OPEN THE EMAIL if you don’t know or recognize who it came from.
  • If you open an email and it looks legitimate but has an unusual sense or seems odd, call the sender or send a separate email to the sender to inquire about the legitimacy of it.  Anyone you contact should respect your caution.
  • NEVER, EVER respond to emails with your personal, private, identifiable information, e.g., your social security number, bank account number, credit card numbers, and the like.  There have been numerous examples where emails that appeared legitimate requested such information to verify or validate your account.  NEVER, EVER give that information in response to an email that you are not 100% sure is legitimate and from the actual person or organization.
  • If you ever did open and respond to an email such as this, and it directs you to a website to login or enter personal information, always look at the url (the website address) in the browser.  If you plan to enter personal information, always make sure the website is secure and encrypted.  First, ensure it uses SSL (secure sockets layer) encryption.  You can tell this by the url — it should begin with “https:” — NOTE the “s”.  This indicates SSL encryption. For a more in-depth explanination, check out our post “Why is HTTPS:// so important?“. Second, look at the actual url value and be absolutely certain that it is the domain of the legitimate entity and sender.  For instance, if the original email was sent by someone@newcompany.com, you should expect the url of the website to begin with “https://www.newcompany.com/” or “https://newcompany.com/” with some additional values after that.  If that’s not the case, DO NOT enter any personal information in this site unless you contact the company or organization yourself and verify the authenticity of the email, the request, and the website.

Anyone can pretend to be anyone on the Internet, especially with emails.  Remember that these dishonest people cannot magically do anything to you or your computer without getting you to do something to “give them permission”.  Always be cautious and, when in doubt, DON’T! If you ever suspect you’re being phished, give the IT experts at SandStorm IT a call at 901-476-0275.

Tags:

Sign up to receive awesome content in your inbox, every month.