Phishing: Think Before You Click

Phishing is pretty much exactly what it sounds like.  Someone out there puts bait on a line and dangles it out there, waiting for someone to bite.  And every time I hear the term “phishing,” I’m reminded of a scene in the Pixar film Finding Nemo.  Dory and Marlin are transfixed by a shiny little animal down in the dark trench, playing with it – until they realize that their shiny little friend is actually an anglerfish intent on eating them alive.  (You can watch the scene here.)  Phishing e-mails basically work on the same concept.  The e-mail spoofer presents something that looks legitimate and enticing, seeking a Dory who will fall for the scheme.  These e-mails take many forms, from the easily recognizable (think of our old friend, the Nigerian Prince, who promised people millions of dollars if they would just send him their bank information) to the slick and sophisticated.

If you check your spam messages, you’re likely to see plenty of the unsophisticated phishing attempts.  E-mails from alleged online dating sites asking for responses, messages regarding an inheritance from a long lost relative in a remote country, you have qualified for a great prize in the latest sweepstakes – all with questionable grammar and laughable claims at best.  They are mass e-mails all sent with the hope that a handful of unsuspecting people will click and follow through.  But because they all follow a formula and pretty much everyone receives them at some point, they are more easily recognized.  It is the truly sophisticated messages that are more difficult to filter.

More sophisticated phishing can look like completely legitimate messages—a lot of times the spoofers dress up their messages with real company logos and addresses, and can appear to come from a real organization.  Sometimes, the sender’s information can appear legitimate (for example, “support@genericbank.com”), or will show simply a name, like “Generic Bank Support.”  And that’s the point – if you received an e-mail from xyz@imathief.com, would you click it?  I hope not.  This is the anglerfish’s shiny bulb.  It looks beautiful, it looks real, and we are comforted by seeing our bank logo on the e-mail and webpage.  If it has the company logo, it must be okay, right?  Not necessarily.

The appearance of legitimacy is meant to lead people to let their guard down.  Then you get to the message.  Many of these e-mails will feature a message addressed to a vague general group – “dear member” or “dear customer” can often be used when sending mass e-mails to see who takes the bait.  The message may ask you to click a link to “confirm account information,” perhaps with a time element, urging you to do so within 24 to 48 hours or else.  We know that real bank websites take their security seriously – you may have to enter a password and then a randomly generated PIN or answer security questions to access your account information.  But banks will never send e-mails asking for your passwords.

If there is a link in an e-mail, it is worth taking a closer look at where that link proposes to take you.  If you hover your cursor over the link (without clicking!), where does it lead you?  Does it match what appears in the e-mail?  Does it show a website that you are familiar with?  If it appears to lead to a site that you would not expect (a misspelled company name in the weblink, for example), it’s likely bait for phishing.    Make sure you know your bank’s regular website address.  If the link leads you to www.genericbank-company.com, but your bank’s web address is www.genericbank.com, be wary.

Of course, these types of e-mails, with the sophisticated logos and the links for personal information, are only one form of phishing.  There are many other forms, all geared towards luring unsuspecting people to give information away.  Sometimes the intent is to take money, sometimes the intent is just to take information and use it to cause problems.  Either way, once you’ve clicked that link, typed in your password, given away your account information, there is no way to un-ring that bell.  It is important to understand where our e-mail comes from.  And while it is unfortunate, we have to be vigilant when it comes to our communications.  That means checking and double-checking the source and making sure we are aware of the red flags, especially when it concerns our personal information.  If there is any question about the legitimacy of a website, of a link, of an e-mail, the best way to keep your information safe is to click the Delete button instead of the link itself.  If your gut tells you something’s fishy, chances are it’s phishy.