Wednesday, June 29, 2016

A Complete Guide to Protecting Against Phishing Emails

The term "phishing" refers to fraudulent methods of obtaining personal information. There are a number of phishing methods that fraudsters employ, the most common being by email. Phishing emails are designed to look as though they come from legitimate companies, often banks and credit card companies, with the aim of tricking you into entering personal information such as:

  • Online bank details 
  • User names 
  • Passwords 
  • Personal Identification Numbers 
  • Social Security Numbers 

Phishing emails often look very realistic at first glance; they can contain perfectly duplicated logos and even some genuine links to the company's website in an attempt to further convince you that the communication is real. However, the link you click on to enter information will take you to an imitation website (known as a "pharming" website) or pop-up window, and you'll send all your sensitive information and passwords straight into the hands of cyber-criminals. You'll often see scare tactics used with phishing emails, stating that an account will be closed unless information is updated, or that there has been unauthorized access to one of your accounts so a password change is required. Once you click on the link and enter the information the criminals have it all - this one mistake could end up costing you months of heartache and frustration, thousands of dollars and your good credit. High-profile financial institutions such as Amazon, PayPal, and eBay have historically been prime targets of phishing scams. Recently however, social networks have also been targeted with phishing emails purporting to be from Facebook, Whatsapp and Google Plus; these mostly contain malicious links to gain access to your contacts list for spamming purposes.

Phishing is generally thought of as a modern phenomenon; in fact, the first successful phishing scams were undertaken during the early days of the internet. There's a reason they're still around today and getting more sophisticated - unfortunately they're big earners for criminals. Statistics indicate that over half of internet users get at least one phishing email per day; that's over 100 billion spam emails sent around the world every day! The Anti-Phishing Working Group estimate that around 5% of adults within the United States are tricked into responding to scam emails, costing over five hundred million dollars per year.
It's not just individuals who are targeted; companies both large and small have also fallen prey to phishing emails, leading to huge data breaches and devastating financial consequences. Luckily there's steps you can take to avoid being scammed. Read on for essential tips to protect yourself and your private information.

#1 Recognize common characteristics of scam emails

Phishing emails tend to share some common characteristics that can help you identify them. These aren't conclusive though, so further investigation will be required. Look out for:
Generic greeting - If the email starts with Dear Customer or Dear Sir/Madam, this should be an immediate red flag. Most high-profile businesses will personalize emails with names and account numbers.

Poor grammar and spelling - phishing emails usually contain multiple spelling and grammatical errors.

Alarming - Phishing emails will try to shock you into taking immediate action by telling you your account or password has been compromised, or that your account will be suspended if something isn't done.

Unknown Sender - never click on a link or download files or attachments from an unknown source. They could contain viruses or other malware.
A company you've never done business with - phishing emails are sent to thousands of people, in the hopes that a few will fall for it - so if you receive an email asking you to reset a password for a company you've never dealt with, it's a scam.

#2 Never click on an email link to enter sensitive information

Always go to your bank's website to enter information or update passwords. Don't follow any links provided in an email - type the URL for the website you want to visit into the search bar or use a bookmark that you have previously created. Banks and other financial companies will never ask you to enter personal information through an email; they will always ask you to log in on their secure website.

#3 Exercise extreme caution with pop-up windows

Pop-up windows can appear to be part of a trusted website, but there's no way to tell if it's been maliciously installed by someone else. Never enter any personal details into a pop-up window. If one appears unexpectedly, click the cross in the top left corner to close it immediately - do not click anything else, as this can trigger the installation of malware or viruses.

#4 Hover your mouse over links to check they're genuine

The only links you should click on are on trusted websites or links that you're expecting, such as a confirmation link. Even then, you should check they're genuine as they can be spoofed. This can be done by simply hovering your cursor over the link.

#5 Check websites are secure before entering any details

Is "https://" visible in the website's address bar with a green padlock? The "s" at the end of http means secure, and along with the padlock reassures you that information you send is protected and only visible to those meant to see it. However, these can be imitated so click on the green padlock to view the security certificate and ensure it correlates to the site you want to visit. If the name on the security certificate is different, don't enter any information and exit the site. Contact the company directly if you can't verify this certificate.

#6 Install firewalls on your computer and ensure all anti-virus and malware protection are kept up to date

Firewalls and strong anti-virus program are your first line of protection in the fight against phishing attacks. For maximum protection use both a network firewall and a desktop firewall. These defend your computer and network from possible intrusion. Keep all hardware, software and web browsers fully updated for full protection.

#7 Use your web browser to help identify fraudulent websites

Most well-known browsers have the ability to block fake websites which may be trying to extract your personal information, or infect your device with malware. There's different ways to enable this protection, depending on which browser you use -

Google Chrome - Click on "Preferences" then "Show Advanced Settings" (at the bottom of the page.) Within the Privacy section you'll see a box marked "protect you and your device from dangerous sites" - check this box. You'll now get an immediate warning if you accidentally try to enter a dangerous website.

Safari: Within your "Preferences" section, under "Security," select the box marked "fraudulent sites - warn me when visiting a fraudulent site"

Firefox: Click on "Preferences" then "Privacy" and "Security." You'll notice a box marked "warn when visiting a fraudulent site" - check this box. You should also check the box marked "block reported web forgeries."

It's important to keep your browser updated, as vital security patches and bug fixes that are essential for keeping you safe from hackers are often contained within updates.

#8 Never email personal information to anyone without PGP

Even if you know and trust the person you're sending it to, emailing unencrypted personal information isn't a good idea. You have no way of knowing your information is 100% safe once you hit the send button. If there's no way to avoid using email, ensure you are both using PGP encryption. This encrypts the information using a public and a private key, meaning only the recipient can decrypt it.

#9 Check privacy policies

Before you sign up to a website, check their privacy policy. If they state that they sell user's details, think again before signing up. Your email address could end up in the hands of spammers and phishers.

#10 If you have any doubts about emails you've received, call the company in question

If you receive emails asking you to take actions that you aren't sure about, call the company and ask. They'll be able to tell you whether the communication is genuine. Don't use contact numbers provided on the email; either go to the company's website to obtain the number or use one you have previously stored.

#11 Check bank statements regularly

Check bank statements and online banking records regularly for suspicious transactions - if you've been a victim of fraud, you'll notice it. If you see any transactions you aren't familiar with, contact your bank. They'll be able to block any further transactions immediately.

Email phishing scams are increasingly harder to detect and can end up having long-lasting consequences for their victims. Pay close attention whenever an email asks for personal information, especially if it appears to be from a financial institution, such as your bank or credit card company; they will never ask for your information in this way.

  • Look out for immediate red flags - a generic greeting, along with poor spelling and demands for immediate action are clear indications it's a scam. 
  • Ensure you're fully protected with firewalls and software, with anti-spam, malware and spyware software. It's essential to keep these up to date for full protection. 

  • Your web browser should also be updated regularly. Be aware of where you are entering information - make sure the website is secure and the security certificate is legitimate. 

  • It's also a good idea to be aware of what your email address will be used for when you sign up for a service - personal details are often sold on, resulting in you receiving increased amounts of spam and phishing emails. 

  • It's always a good idea to contact the company directly if you're unsure whether an email you've received legitimate and contact your bank straight away if you notice the slightest financial irregularity. 

All it takes is a little knowledge, planning and awareness to stay one step ahead of the phishers, and keep your bank accounts and information protected.

No comments:

Post a Comment