by Dave Moore, CISSP
10/17/2021
The theme of week two of National Cybersecurity Awareness Month is recognizing fake emails, texts and chat messages. These are messages that masquerade as something they’re not, in an effort to trick you into getting in trouble.
The most notorious of these is known as the “phishing” email (the “ph” spelling is a goofy story all of its own). The phishing email is one that is part of a fishing expedition, in that deceptive emails are distributed far and wide in the hopes that a fish (an unsuspecting victim) will take the bait and be tricked into doing something they would not otherwise do. “Phishing” expeditions can also include text and chat messages.
According to the National CyberSecurity Alliance, a large percentage of cyberattacks in 2020 used phishing, while 74 percent of US organizations experienced a successful phishing attack last year alone. That makes phishing emails and texts some of the top ways the Internet bad guys trick people into dangerous behavior.
Learning the warning signs of a phishing scam attempt is critical to staying out of trouble. Sometimes, things like bad grammar, misspelled words and being urgently commanded to click on odd-looking links or open unknown attachments make a bogus message easy to spot. However, Internet crooks have polished their skills over the years. Remember, we’re talking about professional career criminals who want to continue their careers, and they have invested considerable effort in coming up with messages their intended victims won’t immediately recognize as being bogus. Some have become masters of making their phony messages appear downright appealing.
To spot phishing messages, look first at the source. Many times, the message will seem to be coming from someone you know, with their name prominently displayed, in the hopes you will be more trusting. Look closely at the email address, though; does the email address itself line up with the name of someone you actually know, or are they strangely different? When in doubt, contact the person or business directly (remember when people used to actually call other people on the phone, and talk to them with their voice?) and ask if they sent you the message, or not.
Not to be outdone by people learning how to spot their scams, the bad guys have diversified their efforts beyond email, and branched out into voice phishing (given another silly name, “vishing”) where they contact their future victims with a phone call. Is there anyone left who hasn’t gotten a phone call from “Visa, MasterCard and Discover” offering zero-percent interest rates, or a call from the IRS threatening to send the local sheriff to have you “seriously arrested,” or from Microsoft saying your Windows license and IP address are about to expire?
Vigilance is the key to defeating phishing scams. Did your boss really go on vacation, and then email you they had forgotten to pay an important bill, asking if you could pay it immediately? I personally know someone who fell for that one, to the tune of many thousands of dollars.
“Things are not always what they seem; the first appearance deceives many; the intelligence of a few perceives what has been carefully hidden…” The Phaedrus, by Plato.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd., he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org