Phishing - can you spot a phish in your inbox?
Freeola have an article about Phishing Scams, but would you be able to tell the difference between a fake email and a real one?
A popular target for Phishers are bank accounts, or accounts that may hold a lot of personal information about you, such as that of social networks and jobsites. You may think that Freeola would never be a target for a Phishing scam, and Freeola naturally hope this will remain the case, but it’s still a possibility, as Freeola not only offer paid for services that require payment details, but also may be the hub for your website and emails.
As you hopefully already know, Phishing is an attempt to trick you in to believing that you are reading an email from a legitimate company or browsing a website from a legitimate company, with the aim of convincing you to hand over personal details about yourself or your account.
Email is a common starting point for Phishing scams, as they are a cheap and often reliable method for scammers to get you to go to their fake web sites. Despite the great methods employed to combat it, they can still get though to your inbox, because scammers know of the payload they can receive from a successful Phishing campaign - compared to the zero cost and anonymity they can receive - they are wiling to go to great lengths to continue to use email to go Phishing.
A generic Phishing email
Below is an example email that you might receive claiming to be from a reputable company.
Looking at the example email, what tell-tail signs highlight that this might be a Phishing attempt?
For one, the email address looks suspicions, because it seems to have come from the domain name “webnet.co.uk” and is simply using "Halifax" as a sub-domain.
Another clue should be that the email doesn’t refer to the customer by their registered name, rather it uses the generic “valued customer”, which should be a big giveaway, because it’s common knowledge that the Halifax doesn’t consider any of their customers as “valued”.
The email also asks you to respond with personal details, which is a big no-no - you’re also offered the chance to “click here” to go to the company web site, though this link can easily be written as any web address the scammer likes.
In short, the example above should hopefully be an obvious Phishing email, because it is generic, contains no personal details about you but asked for a lot, and asked for it in an insecure manner, while also coming from an address that doesn’t appear legitimate.
Email getting personal
Below is another example email that you might receive claiming to be from a reputable company, with slight differences from the one above.
Looking at the example email above, and assuming you are called John Smith from Bristol with a Halifax Credit Card, and that you have been to London, and that you are genuinely concerned that an issue has arisen, what would be the best way to deal with this email?
It seems legitimate, it’s accurate with Johns personal details, and seems to have come from the Halifax web domain, so it must be fine?
In actual fact, it’s still a fake, and the URL being linked to is not the Halifax web site, even though it looks like it could be legitimate.
But how could this email get so personal?
Firstly, you can fake any “from” address in an email, so even though it says it came from the Halifax, it could come from anywhere. This would probably be highlighted if you opened the email deeper and looked at the “headers”, but that’s not something a lot of people do.
Another point is that the persons email begins with “johnsmith”, so any computer program or scammer can break that down as to being his name.
The rest of the information can come from carelessness when it comes to social media.
Many people these days use social media; it’s all over the world, but what a lot of people seem to do is reveal a lot more information about their personal lives that they realised. The above data could have been sourced from a Tweet about “I’m going to London next Wednesday for a show” and “I hate Halifax they charge crazy fees”.
The above two tweets, compiled with the persons email address could be the only bits of info a scammer would need to start his Phish, or, more likely, a botnet that scans and builds target profiles with the intent of trying to trick people.
How can you be sure?
In summary, email today should not be relied on as a trusted means to providing a link to any web site that holds personal details about you. The best way to ensure that you’re going to a web site of a genuine company or organisation, is to know what that web address really is, and either type it in to the address bar yourself, or, more conveniently, add said web site to your browser bookmarks.
Then, when it comes to logging in, check that you are connected via a secure connection through your browsers’ built-in methods, which usually consists of a green address bar and padlock, such as with the example below:
Smartphones also allow for secure web connections, though due to the smaller screen size it may be a little harder to spot that you're using a secure connection. Often there are "options" or "settings" within your web browser that allow you to view "page information" or "site information" when you're on a secure page that allow you to see the security certificate issued, such as the example below which was taken from one of the many Android powered Samsung smartphones:
In the final screenshot above, the certificate is shown in a scrollable window, but the image was extended for this example.
Don’t forget, if you have your own web site hosted with Freeola, you can make use of the SSL certificate hosting to ensure any of your visitors can feel safe and secure when they’re on your site.