Practical Steps To Protect Yourself from Phishing Scams
Have you ever received an e-mail from somebody with a great and urgent problem involving a ridiculously-large amount of money?
They're usually asking if you're still alive, saying that you're owed money, or will give you some cut in helping someone recover funds.
What is phishing?
Phishing effectively involves sending e-mails to victims with the intent of tricking them into preforming some action with the intent of stealing money, accessing your online accounts, or otherwise compromising your computer or your online life.
They might ask you to send them personal information, open an attachment (don't do this), visit a website (don't do this either), or simply reply (or this).
What to expect, in short
Phishing e-mails very often replicate authentic e-mails sent from legitimate services.
They'll send you an e-mail that looks identical to a Facebook friend invite, for example, and clicking on the link will take you to a website they control.
Once you try to log into Facebook on their website they have your Facebook username and password, and your account is theirs.
Other versions involve a time-sensitive situation that you need to react to right now – they say they will only be able to send you the money for a limited time before sending it to someone else, or that your account will be blocked if you don't click a link or open an attachment.
There is always some sense of urgency with these.
If you ever come across an e-mail that makes you feel pressured, be sure to triple-check that its authenticity.
It will probably happen to you
If you haven't received such an e-mail you probably will.
If you've ever used your e-mail address online it's just about a matter of time before it lands up in another data breach, giving phishers access to your e-mail address to spam you.
Take a look over at Have I Been Pwned? to find out whether or not your e-mail address has been (knowingly) hacked; if it's there you're likely to receive spam and phishing e-mails, and need to change your passwords.
Fortunately most e-mail providers have some kind of spam filter to remove the majority of phishing or otherwise junk e-mail coming your way, saving you time and potential harm in dealing with them.
Gmail and Outlook both have very adequate spam filters and protection mechanisms built-in to protect you.
It's a numbers game
The thing about sending e-mails to random e-mail addresses is that you have no idea of whether or not those e-mail addresses are active, or if someone is even using them in the first place.
So, how do you counter-act that? How do you make sure that you get at least someone to open your link, attachment, or give you their hard-earned money?
Well, you send e-mails to a lot of people – as many as you can find – millions and millions of e-mails to lists of random e-mail addresses from hacked websites and other scummy sources.
If a phisher sends 300 million e-mails and gets even 1% of people to interact with it in some way, that's three million people.
1% might not seem like a lot, but it is if you send enough e-mails. Even smaller phishing attacks of 30,000 e-mails will net you 300 peoples' money, computers, or other personal information.
That's a lot of peoples' stuff any way you look at it, and that stuff is valuable to those people.
It's cheap with high-reward
A phishing attack needs very little to start up – all you need is an e-mail address, an e-mail to send, and some means of getting the user to interact with it.
Even on the more-expensive side of things you're looking at maybe 10$ to get a large campaign going.
If you get a single person to give you money you've already recouped your costs, and the rest is pure profit.
The thing about these attacks is that, when they are successful, they are very, very successful.
Phishing scams are big business, costing American businesses at least 500 million dollars a year.
That's 59 million chicken burritos from Chipotle with guacamole; they're living the high-life – b**** I know guac' is extra.
Identifying phishing e-mails
Take some time and head over to this website to get an idea of 15 example phishing e-mails.
This will probably be an educational eye-opened as to the depth and breadth these cover.
We'll start by covering some up-front things you can do to make yourself do a double-take and avoid most phishing attacks.
It's not all wonky techy voodoo involving human sacrifice and day-old cheese curls.
There are two things you can do to drastically reduce your chances of being phished.
Stop, collaborate, and listen
First, step back; don't take any e-mails you receive at face-value. Read those suckers as if they were being spoken to you in real-life.
If someone random walked up to you and told you that they need help moving millions of dollars and will give you a cut, what would you do?
Yeah, do that (don't comply with them!).
Trust your intuition
There's a reason you get that little funny feeling in the back of your mind when things seem too-good-to-be-true.
Remember that when things appear too-good-to-be-true, they probably are!
If anything at all makes you feel strange in an e-mail, be extra, extra careful with it.
The techy bit
Now that we've heightened your general awareness, we'll head into the foggy territory of the techy stuff.
Luckily, it still doesn't include human sacrifice or day-old cheese curls. Mind you, I quite enjoy the chew on those.
Validate the e-mail's contents
Do you even have a Paypal, Facebook, LinkedIn, or any other account that the e-mail claims to be from?
Do you know a Bob? Why would the bank of Nigeria even be sending you e-mails – they don't have anything to do with you?
Even if you do, take a step back and look at the e-mail. Don't panic, don't take immediate action – look at the e-mail before doing anything.
Check the sender's e-mail address
Phishing attacks make use of fake or hacked e-mail addresses to send e-mails, which means that you won't receive phishing e-mails from the actual company.
If you've received a notification from Paypal on a recent purchase, why is it coming from firstname.lastname@example.org? That's not Paypal! That's a baddie!
Always check this, no matter how sure you are. It will legitimately save your a** when a phishing e-mail is particularly sneaky.
Check the links in the e-mail
Phishers don't use the real website when conducting their attacks – they will use a hacked websites to steal your data.
This means that you can detect phishing attacks by checking links in any e-mails you receive – it is an extremely effective means of identifying attacks.
If Facebook is telling you that you have a new friend request, check that the links actually go to https://www.facebook.com and not http://www.faecbook.com (see what I did there?)
If anything seems off, get out of there! Delete that e-mail, and go to Facebook directly in your web browser. If there really is a friend request, you'll see it.
A good first-line of defense
Use a reputable, respected, and known e-mail service.
These e-mail services are well-practised in detecting spam and phishing e-mails and reacting to them, saving you from many potential attacks; an attack you don't see is an attack that can't hurt you.
I recommend Outlook Premium for this – its web interface is very sexy and intuitive, and the service itself is solid. You can even use your own domain for sending e-mails!
Alternatively, Gmail's paid offerings are excellent, too. Google is attacked constantly, so they know what to look out for to protect you.