It’s Cybersecurity Awareness Month, and each week I’m focusing on a theme from the See Yourself in Cyber campaign. Last week I asked you to stop changing your passwords so often, and this week it’s time to talk about how to spot phishing attempts.
When I was a kid, my parents encouraged me to explore my neighborhood, socialize with other children, and go outside and run around. The few cautions I heard regularly were “be home before dark” and “pay attention to your surroundings.” Those are excellent guidelines to follow at any age and in any context, so this week, I encourage SecurityWatch readers to heed the second bit of advice. Pay attention to your surroundings, even when you’re online, to avoid being phished. If a message or website’s content seems a little off or suspicious, don’t click any links, don’t open any attached files, and don’t download any software.
According to Statista, the most common crime reported to the US Internet Crime Complaint Center in 2021 was phishing. Phishing lures are getting topical and sophisticated, too. Last year, cybersecurity researchers warned about the rise in phishing messages about COVID-19. In January, the FBI warned the public about hackers who are phishing victims using QR codes, and last October, criminals working for the Russian government tried to ensnare victims with phishing emails.
What Is Phishing?
Phishing is an attempt to steal victims’ data or money using a deceptive lure in the form of an email, SMS, online ad, or fake website. For example, earlier this year, the FBI warned that cybercriminals are sending out SMS fraud alerts that look like they come from financial institutions. If a victim responds to one of the messages, the fraudsters spoof the bank’s phone number, call the victim, impersonate the bank’s fraud department, and encourage the victim to transfer all their money.
Common characteristics of phishing messages include:
- Claiming to be from someone you know and trust, such as a family member or your boss.
- Impersonating a critical institution such as your bank, insurance company, or workplace.
- Requesting your financial data or personal information.
- Asking you to click links, download software, or open file attachments.
The traits above probably apply to many of the legitimate messages you receive, so how can you avoid being phished? Pay attention. If your browser alerts you about a potentially dangerous message, unsafe content, or a malicious website, heed the warning. Avoid clicking links, entering data, or downloading attachments from unknown or untrustworthy sources.
Adopt 4 Key Anti-Phishing Behaviors
To keep from getting phished, follow these tips:
- Never give away your data online. Avoid including usernames, passwords, government ID numbers, financial account information, birthdates, and other private information that could be used to impersonate you later in emails, phone calls, or text messages with people you don’t know. Don’t give away your email address or phone number to a website if you have doubts about the site’s legitimacy.
- Don’t confirm your password right after clicking a link in a message. If you need to log in to a website or service after clicking a link you received in a message, open a fresh browser tab or window and directly type the URL you want to log into instead. Hackers can set up fraudulent websites and collect your login credentials with ease.
- Take your time with urgent messages. Criminals often try to get victims to act quickly, so they don’t have time to realize they’re being duped. Be suspicious of anyone who asks you to respond to them or click on a link within a specific time period. Tax scams, for example, tend to have time limits attached to them.
- If a message is too good to be true, ignore it. Dating scams, financial scams, and sweepstakes scams are all common. If you receive a note saying you’ve won a contest you never entered, and you just need to click a link to claim your prize, do not engage with the sender. Instead, report the message to your email service provider and go on with your day, knowing that you defeated yet another phishing attempt.
Quiz: Spot the Phishing Scam
Google’s Jigsaw team developed a quiz to help everyone learn to spot phishing attempts. It shows visual examples of sophisticated phishing messages and asks users to determine whether they are being phished or not. You can practice hovering your mouse over links to see a real web address. You can also examine email headers and attachments, as in the screenshot below, to determine if a message is legitimate.
Enterprise software juggernaut Cisco created a phishing quiz for employees. The questions are part of a comprehensive phishing hub containing important information on why phishing works and how criminals plan their attacks.
Create a Cybersecurity Toolbox
The easiest way to thwart phishing is to use the greatest tool you have: your brain. According to a 2020 survey by Statista, employees said distraction was the number one reason they clicked on a phishing link. Use your brain and focus on your online surroundings to curb future phishing attacks.
Here are some other habits that can help you avoid phishing fallout:
- Use a password managerpassword manager. Check your accounts for old passwords that may be duplicates, easy to guess, or previously compromised by a data breach. Create new passwords for your accounts and store the credentials in your secure vault. Having different passwords for each account means that if a hacker gets the login information for one of your accounts, they may not have the tools to be able to impersonate you all around the web.
- Enable multi-factor authenticationmulti-factor authentication for your accounts. Add another layer of security to your accounts so that if one of your passwords is stolen, the attacker still needs another form of authentication to get into your accounts, such as something you have (such as a hardware token or cell phone) or something you are (such as your fingerprint).
- Examine your browser’s settings. If you use Google Chrome, consider turning on Safe Browsing at the level of protection you want under the Privacy and Security category in the Settings menu. Safe Browsing warns you about potentially malicious downloads, extensions, and websites. You also get alerts about leaked passwords, and Google scans files before you download them from the web if you choose to enable Enhanced protection while you browse. Firefox has a similar feature called Firefox Focus.
Like what you’re reading? Get an extra SecurityWatch story delivered to your inbox weekly. Sign up for the SecurityWatch newsletter.
What Else Is Happening in the Security World This Week?
The Best Google Chrome Extensions for Online Safety and Security. Surfing the web can be a security nightmare, with various threats from ad trackers to malware. These Google Chrome extensions can help keep you safe and secure.
Police in Europe Arrest Car Theft Gang That Tried to Hack Thousands of Vehicles. According to Europol, the suspects targeted keyless vehicles from two French car manufacturers.
Cybersecurity Pros Warn of Danger Ahead With Russia, China, and Beyond. An event in D.C. featured both warnings of blowback from Russia and China and optimism about growing security awareness and resilience.
How to Protect Your Smart Home From Hackers. Smart homes offer convenience but also security risks. Here’s what you can do to stop hackers from taking control of your smart speaker, thermostat, doorbell, and other connected devices.
Sorry Parents, Your Kids Think Your Online Habits Are Cringe. Both parents and children worry about online privacy and security, but they have varying views on what to do about it, according to a study from 1Password and Malwarebytes.