Have you ever received an email from Amazon, PayPal, Blizzard, or another trusted organization saying they need you to verify your information? What about emails from a Nigerian Prince? Or maybe you’ve been the lucky winner of an iPad and you just have to send them your name, date of birth, Credit Card number, social security number, mother’s maiden name, and the blood of your firstborn child.
These phishing scams are an ever increasing and (to those who know what they are looking for) blatantly obvious attempt to steal your Personally Identifiable information (PII). The scary part is that according to Google, they are effective 45% of the time.
It’s pretty straightforward. The e-Mail looks official and might even include a warning about how failure to comply will result in your account being locked or something equally scary. Given that it is tax season, I’ll warn you now about one where someone calls claiming to be the IRS and will demand the money you “owe” immediately or they will call the authorities. I’m going to come back to this example in a bit.
This is all a form of social engineering, and, as stated above, it can be brutally effective. Social Engineering, according to Wikipedia, is “the psychological manipulation of people into performing actions or divulging confidential information.” Strangers on the internet lying to get your money. Or worse.
Another form of these is “Microsoft” calling you and telling you that they found a virus on your computer, and they need to remote in and remove the “virus”. By following their instructions, you’ve just allowed them to install malware that has a keylogger on it. Now they can track where you go on the internet, what your usernames and passwords are, your credit/debit card numbers, and anything else they can use to steal your identity and cause you a financial headache.
(Funnily enough, we as an IT company get these once in a while. I can’t officially say that you should mess with them, but if you want to entertain yourself for 15 minutes or so, get a Linux VM going and then explain to them why you can’t download the software.)
As I mentioned above, tax season brings one variation of phishing where you get a phone call from the “IRS.” They say you owe them X amount of money and that you need to pay immediately or they will call the authorities for failure to pay. The person making the phone call is preying on your emotional fear that owing money to the IRS is a bad thing. The thing to remember here is the IRS will not call demanding money. There is an entire page on their website on how to (or how not to) respond to these scam attempts.
So how do you know if someone is actually trying to get your information for legitimate reasons? Well the short answer is, they probably won’t in the first place. Remember, that no legitimate member of any organization will ever ask for your password. Not even our techs here at Green House Data.
The key is to look out for anything suspicious. Does the URL look odd? Maybe it says http://paypa1.com and it’s asking you to put in your password and user name without looking like the PayPal website. Never click a link you are not 100% sure about, and don’t just type in your user name and password into any field on the internet that asks for it. PayPal also has a fraud report process. While it might not have much of a result, reporting fraudulent e-mails can at least help you curb the amount of spam you receive.
Again, scammers are counting on your blind trust that they are who they say they are, or using outright fear tactics because no one wants to deal with the IRS, have PayPal shut your service down, or have to clean up a virus — all types of phishing strategies. Always remain aware when clicking on any links, opening attachments, or replying to e-mails from unexpected sources. Being hyper aware of anything that looks even remotely odd can keep you from getting annoying popups, your information safe, and even keep you from getting a nasty cryptoinfection.
Posted by: GSC Team Lead Andrew Long