It's Cybersecurity Awareness Month.
When I was a kid, my parents encouraged me to explore my neighborhood, socialize with other children, and go outside and run around. The few cautions I heard regularly were "be home before dark" and "pay attention to your surroundings." Those are excellent guidelines to follow at any age and in any context, so this week, I encourage SecurityWatch readers to heed the second bit of advice. Pay attention to your surroundings, even when you're online, to avoid being phished. If a message or website's content seems a little off or suspicious, don't click any links, don't open any attached files, and don't download any software.
According to Statista, the most common crime reported to the US Internet Crime Complaint Center in 2021 was phishing. Phishing lures are getting topical and sophisticated, too. Last year, cybersecurity researchers warned about the rise in phishing messages about COVID-19. In January, the FBI warned the public about hackers who are phishing victims using QR codes, and last October, criminals working for the Russian government tried to ensnare victims with phishing emails.
What Is Phishing?
Phishing is an attempt to steal victims' data or money using a deceptive lure in the form of an email, SMS, online ad, or fake website. For example, earlier this year, the FBI warned that cybercriminals are sending out SMS fraud alerts that look like they come from financial institutions. If a victim responds to one of the messages, the fraudsters spoof the bank's phone number, call the victim, impersonate the bank's fraud department, and encourage the victim to transfer all their money.
Common characteristics of phishing messages include:
- Claiming to be from someone you know and trust, such as a family member or your boss.
- Impersonating a critical institution such as your bank, insurance company, or workplace.
- Requesting your financial data or personal information.
- Asking you to click links, download software, or open file attachments.
The traits above probably apply to many of the legitimate messages you receive, so how can you avoid being phished? Pay attention. If your browser alerts you about a potentially dangerous message, unsafe content, or a malicious website, heed the warning. Avoid clicking links, entering data, or downloading attachments from unknown or untrustworthy sources.
Adopt 4 Key Anti-Phishing Behaviors
To keep from getting phished, follow these tips:
- Never give away your data online. Avoid including usernames, passwords, government ID numbers, financial account information, birthdates, and other private information that could be used to impersonate you later in emails, phone calls, or text messages with people you don't know. Don't give away your email address or phone number to a website if you have doubts about the site's legitimacy.
- Don't confirm your password right after clicking a link in a message. If you need to log in to a website or service after clicking a link you received in a message, open a fresh browser tab or window and directly type the URL you want to log into instead. Hackers can set up fraudulent websites and collect your login credentials with ease.
- Take your time with urgent messages. Criminals often try to get victims to act quickly, so they don't have time to realize they're being duped. Be suspicious of anyone who asks you to respond to them or click on a link within a specific time period. Tax scams, for example, tend to have time limits attached to them.
- If a message is too good to be true, ignore it. Dating scams, financial scams, and sweepstakes scams are all common. If you receive a note saying you've won a contest you never entered, and you just need to click a link to claim your prize, do not engage with the sender. Instead, report the message to your email service provider and go on with your day, knowing that you defeated yet another phishing attempt.
Quiz: Spot the Phishing Scam
Google's Jigsaw team developed a quiz to help everyone learn to spot phishing attempts. It shows visual examples of sophisticated phishing messages and asks users to determine whether they are being phished or not. You can practice hovering your mouse over links to see a real web address. You can also examine email headers and attachments to determine if a message is legitimate.
Enterprise software juggernaut Cisco created a phishing quiz for employees. The questions are part of a comprehensive phishing hub containing important information on why phishing works and how criminals plan their attacks.