Phishing is a word that refers to doing things to gain access to sensitive information. In the last article, we discussed tactics hackers and hacker bots use to guess passwords. Now let’s discuss the preferred method of hacking – persuading you to provide all of your sensitive information willingly.
Phishing begins by baiting you to respond to their inquiry and provide your banking information, credit card info, social security, or other personal information. The hacker begins by casting out the bait, and seeing who bites.
Urgent! Fraudulent activity has been detected on your account. Click here to login and see the charges.
Bank of America
Upon visiting the site, you have to enter your username and password – and possibly your account number or other information that could be used for identity theft.
Some of these notices can be very sophisticated and look authentic. The link provided will go to a website that is a replica of what you would see at a Bank of America website. You may have gotten these notices. In fact, you probably get warnings and phishing scams from banks and other companies that you have never done business with.
Here are some tips to avoid getting hacked.
Tip 1. Secure info is not done through email.
Your bank will never send a security request or legal notice via email. Email is one of the least secure methods of communication. My bank does give me the option of getting alerts, but these are just that – personal alerts. I am notified if there are any internet purchases made to my account. I’m notified if my balance drops below a certain amount. I’m also signed up for daily balance alerts. This way I’m never caught off guard. Though I get alerts, never does an alert contain secure information or a request for secure information.
A bank will NOT send you a request for personal information over email.
Tip 2. Never click the link sent in an email if there is any suspicion.
If you get a message from your bank, and you feel compelled to respond, open up a new browser window and manually type in your bank’s url. Then you know where you are going.
The url visible isn’t necessarily the hot link in the message. For example Click here to login to bankofamerica.com looks like it should go to Bank of America, but it doesn’t. It directs you to my website. The hacker is banking on the fact that you will not pay attention to the actual link, but will trust the email. To make it more difficult to know where you are being directed, the hacker uses an url shortener. So the site link behind the visible hotlink may be something like, http://xlh7.0cm.
If you manually type in the address, you will be safe. If your account indeed has an alert, you can visit your account and find the notice.
Tip 3. You didn’t win the money.
In the last year, I’ve won the European lottery multiple times, the UK lottery, had an old dying missionary choose me as the one worthy to receive money to continue on their work, been identified by the director of the FBI as the rightful owner of confiscated money, and even discovered that there is an African king named Eddie Snipes that is losing power and wants to transfer his money to the US. Wow! I didn’t know Snipes was an African name. But at least I’m rich!
Greed is a powerful bait. I often wonder why these people bother with pointless and obvious scams. But then I hear a news story about someone who had their account sapped dry and realize that there are people who can be lured in. I watched a news story where a woman lost her life savings. Her words say it all. “Deep down I knew it was a scam,” she said into the camera. “But the money sounded so good and the story was so compelling that I ignored my instincts and gave my account number.”
When your gut-check sounds the alarm, don’t ignore it.
Tip 4. Verify Everything – and everyone.
I received a Facebook email explaining a tough spot an old friend from school was in. I had known this guy since second grade. Just as I finished reading it, a chat popped up.
The chatter had written, “I was traveling in London and I got robbed. They took everything I own and I just need the money to get a ticket home.”
How sad. But I was touched that ole Mike thought of me first when he was in a pinch. One thing did amaze me, though. If he lost everything, how did he get internet access? Did a good Samaritan give him a laptop and a gift card at the local internet café?
I decided to probe Mike’s memory.
Did something I say offend poor Mike? Maybe he had traumatic memories from elementary school. Just asking for the name of the school sent such a wave of grief through cyberspace that it knocked out Mike’s internet connection.
Never trust the person on the other end until you can positively verify who they are. Contacting their family in their known location might be a good starting place. Especially if I call and Mike answers. My conversation would be something like, “Hey Mike. I didn’t know you could be in London and Georgia at the same time. Perhaps you better read my article on good password security.”
This verification goes for friends in need, and ministries in need. Christians have a lot of natural compassion. Thieves play on that fact. The person claiming to be a pastor of 10 churches in South Africa is usually just a scammer in Nigeria. Support ministries and help people, but don’t donate to thieves in internet cafés posing as ministers and friends in need. Chances are, if Western Union is involved, it’s not a real ministry.
Tip 5. Don’t click on strange links.
If you get an email that only has a web url, but nothing else, don’t click it. Why would Uncle Bob send me an email with just a link? No words, no thoughts, not even a ‘haha’. By the way, don’t click on a link that only has a message that says, ‘haha’, either.
Bad grammar is a dead giveaway. Most scam artists are in foreign countries. (Do these really qualify as artists?) The reason is that it is extremely difficult to prosecute a foreign scammer. No, that’s not right. It is impossible to prosecute a foreign scammer. The only exception would be if the heist was in the millions. Your bank and the Justice Department simply won’t go after a small time thief. Especially if that thief hides behind an international border.
This is why grammar is a good tool for detecting fraud. Grammatical mistakes, spelling errors, and incoherent phrases are strong clues that you are not dealing with a legitimate business. Someone who is using a translating program such as babelfish.yahoo.com that translates from Chinese to English may come up with something like this:
Has deceit activity which finds out in yours account.
In most circumstances, the translation won’t be that bad, but even someone who is fluent in English will have unnatural sounding translations. This is because each language has their own rules on grammar which sounds natural in their own language, but not in other languages.
Tip 6. Never click ‘OK’ unless you know for certain it’s okay.
Up to this point, we’ve focused on incoming emails, but you need to be on guard while browsing as well.
When searching for information on the web, you may encounter a popup that says something like, “A virus has been detected on your computer. Click OK to clean.” The notice is an authentic looking scanner and as it performs the fake scan, it will begin showing a number of errors and viruses the fake scanner has detected. If you click ‘OK’, you are giving permission to a webpage to install software on your computer. This is a Trojan. The Trojan may serve one or more functions such as, logging keystrokes and sending it back to a server. This is then used to capture personal information and passwords. Trojans may send browsing history back to a server for marketing research. It also could be used to send advertisements to your email contacts. I’ve even seen Trojans that intercept Google searches and display a screen that advertises affiliate websites as though they were search results.
Trojans use temptation and curiosity to persuade you to install them. The unsuspecting computer user clicks to protect their computer from a virus infection only to find out the protection is the virus. If you get a virus notice from a website, click the ‘x’ in the top corner of the window.
The old trick, “Look at the embarrassing video someone posted of you,” is a common lure. To see the video, you have to install the website’s free video player. That video player is the Trojan. Don’t click okay.
Hackers will never stop looking for ways to fool you into installing their software, sending them your personal information, or luring you to an imposter website where you are asked to enter your information. This comes in the form of cheap loan rates, contests, bank alerts, and any number of other scams. The key to not becoming the next victim is to stop and evaluate before clicking or providing information. Make certain the site is a trusted site. If the menu bar and status bar of your web browser is hidden, be very concerned. They probably don’t want you to see what url you are visiting. Even legitimate businesses are sometimes hacked and users redirected to fraudulent sites. However, it’s usually not possible to completely make the fraud transparent. Anytime you are redirected, look around for anything suspicious.
Be alert and be secure.