One of the things we warn our clients about is “social engineering.” With the array of anti-virus, anti-spam, and anti-malware programs on the market, the bad guys have been forced to get sneakier. Social engineering is all about getting you, the user, to perform some action which provides the bad guys with what they want – your private information, credit card numbers, etc. Some programs that you use everyday do their best to protect you from social engineering. Many anti-virus vendors, for instance, now have some sort of application built-in to prevent you from going to sites which are known to be malicious. Even Internet explorer has built-in protection against suspicious websites and “phishing” sites. The problem is, these sites are very easy to set-up and most of the software designed to protect you works from a list. Sites you visit are compared against a list of “known dangerous” sites. But, until the site is discovered and confirmed dangerous, it doesn’t appear in the list. This means you can become a victim. The only way to protect yourself is to be on guard at all times for suspicious activity. The Internet is like a city – there are good neighborhoods and bad and it’s important not to walk down any dark alleys by yourself!
The term phishing refers to bad guys literally fishing for your information. They throw their bait into the water and wait for a nibble. In most cases, the bait is an e-mail designed to look like an e-mail coming from a legitimate institution, such as your bank or Paypal.com. They may try to phish for a username/password combination by sending you to a site that looks like it’s the real website affiliated with your institution, when in reality, it is a fake site designed to do nothing more than “harvest” your information. They may even cast their net wider, phishing for your social security number, bank account, etc.
How do they do this? Let’s see an example:
Please click here to be re-directed to Paypal.com.
The link above says it should take you to Paypal.com. But, in fact, I have set it to re-direct you to our company’s main website. If I were malicious and trying to get information from you, I could direct you to a page that looks like the main Paypal page, where you would be able to type in your username and password. If I set that page up and controlled it, when you typed in your username and password, I would have that information before you even knew anything was wrong.
It can be hard to tell when an e-mail is legitimate and when it is fake, which is why the best course of action is to always go to the site directly, rather than using links in an e-mail. If, for instance, you get an e-mail saying there is something wrong with your Paypal account, login to Paypal directly. That way, you know that you are visiting the real Paypal.
Want to see how tricky it can be? I found this test today, which is the whole reason for this blog post. This test is from SonicWall, a leader in Internet protection (and a company that we have partnered with to provide security services to our clients). And yes, the link is safe to click on. It runs you through ten sample e-mails and let’s you choose whether they are legitimate or a phishing attack. I scored a 9/10. Even experts make mistakes sometimes! As you can see, some of the e-mails in this quiz do look legitimate. See how well you do. And, when you are done, click the “Why?” links on any that you missed to see the explanations and cues to look for to protect yourself. Because, whether you realize it or not, you’re taking this quiz every time you open an e-mail. In most cases, the stakes are much higher than whether or not you can beat my score!
Hint: Hold your mouse over one of the links in this blog post. When you do, look at the bottom of the screen. You should be able to see the address to which the the link points. (This varies from browser to browser, but if you don’t see it, you may need to turn on a status toolbar so that you can. This is your best secondary defense. The primary defense, again, is to go to sites directly.) This will come in handy during the quiz, as they show you the address the link is pointing to at the bottom of the screen. Good luck!
