By Andrew Whitaker
When I was ten my parents sent me to summer camp. Unfortunately, I was one of those kids who always found myself hanging out with the “wrong crowd”. At summer camp I made a friend named Jacob who taught me how to pickpocket. So, while other kids were learning to weave baskets, we were walking around practicing our wallet-stealing skills. It was a futile effort, as ten-year old kids don’t often carry wallets and, if they do, it was usually to store Garbage Pail Kid trading cards and not money.
Luckily, I grew out of that summer hobby. I often wonder if Jacob is still pickpocketing today. If he was clever though, he would have learned by now that there is a much easier way to steal a wallet. Can you guess the easiest way to steal a wallet? It is by simply asking for it.
The easiest way to steal someone’s money is to scam someone into giving it to you freely. This is why multilevel marketing scams, Ponzi schemes, and fake charities are far more dangerous than a thief trying to pickpocket you. These scams trick people into giving money, often for long periods of time, and in large amounts.
In the same way, the easiest way to hack your password is not by a sophisticated hack. It is not even by guessing. It is much easier than that. It is by tricking you into giving up your password through phishing scams.
A phishing scam is when a hacker spoofs an email to appear legitimate and attempts to trick someone into giving up a username and password. Common approaches include pretending to be someone high-up in your company, IT support staff, an online gift or greeting card, or a shipping company with an important message. All of them will, in one fashion or another, attempt to trick you into clicking on a link that takes you to a website requesting you to enter your username and password. In other words, phishing is throwing out bait and hoping you fall for it. It is like fishing, except with a ‘ph’, because security professionals think changing an ‘f’ to ‘ph’ is cool (yah, I don’t get it either).
Here are three quick tips to protect yourself from phishing attacks:
- Do not click on links from people you do not know. Remember that saying your parents taught you, “Don’t take candy from strangers.” Hackers will often hide the real address of a malicious website by disguising it in an email with a link that looks legitimate. I’ll spare you the technical details, but it’s as easy as slipping on your costume for your neighborhood Halloween party. Not hard to disguise, but it masks the real identity. If you are sent this at work, contact your security team. If at home, one quick tip is to hover your mouse cursor over the link and, after a second or two, you should see the real website address appear either next to the link in the email or in the bottom of the browser window (your mileage may vary; this does not work with every email client). If the link looks suspicious in any way, such as a series of random characters, do not click on it.
*As a quick side note, pay special attention to random text messages with links. This is a common technique today, as people are often far more likely to click on a link on their cell phone than their computer. If you receive a text message from someone you do not know, and it contains a link, do not click on it. Delete it. And be sure to high five yourself afterword knowing you were not tricked by the foolish hacker.
- Grammar counts. Many of the phishing attack emails use poor grammar, have misspelled words, and even uncommon fonts. Sure, it may be a sign of the hacker using English as a second language, but in the days of spellcheck and grammar check, there is no excuse for poor grammar and spelling in phishing emails. Many email clients will even show you those squiggly red lines underneath words that are not recognized. Are hackers so dumb that they do not know how to write a grammatically correct email? Are they that lazy that they ignore those red squiggly lines letting them know that a word is misspelled, or a sentence is not using proper grammar? I’m going to let you in on a secret: The misspelled words and poor grammar found in many phishing emails are often intentional. The general theory is this: if a person is willing to fall for an obvious fake email, despite numerous clues like poor grammar and spelling, then the person is highly susceptible to not only being scammed but being scammed repeatedly and not reporting it.
- Remember this saying, “you are a target.” The majority of hackers are opportunists. It is a numbers game. If they cast a wide enough net, they will catch someone with their phishing scam. In the City of Seattle, over half of all email sent to the City are spam or phishing attempts that are, luckily, blocked before they even enter our network. There are others that are just sneaky enough to get past our protections, and when they do, we have a staff dedicated to detecting, removing, and blocking those emails before they impact City employees. They use similar tactics, requesting employees to click a link and enter credentials to access a file or a message that is “urgent”. They don’t care who falls for it; they are playing the numbers game. Remember, you, and I, are targeted just like everyone else. That does not mean we have to be paranoid, but if you remember that most hackers are looking for targets of opportunity, then you can approach technology in a safe and secure manner. You’ve probably heard of the importance of being ‘street smart’; well, think of this as being ‘digitally smart’.
Director of Security, Risk, and Compliance Andrew Whitaker leads information assurance, security operations, regulatory compliance, and IT policy across all City departments. His cybersecurity specialties include building lean security programs, integrating security into business processes, intelligence-driven threat modeling, and security awareness and training.
He has over 20 years of experience in both the public and private sector, leading consulting services for defense, federal, and intelligence agencies, all branches of the US military, and over a third of the Fortune 500 companies.