Phishing

Although many phishing attacks are spoofs against banks, they can also use any well-known website to steal personal data such as PayPal, The Internal Revenue Service, UPS, FedEx, eBay, Facebook, , etc.

Phishing knows no boundaries, and can reach you in any language. In general, they’re poorly written or translated, so this may be another indicator that something is wrong.

The best way to prevent phishing is to consistently reject any email or news that asks you to provide confidential data. Delete these emails and call your bank to clarify any doubts.

If you hear on the news that your insurance company has recently been breached and soon after you receive an email (allegedly) from your insurance company that explains the breach and provides the necessary steps for you to take. These steps include clicking on a link to update your personal information and change your user name and password. You should NOT follow these instructions to keep your information protected. Otherwise, once the criminals have information about you, they may try to trick you into giving up more information through fraudulent emails. Be suspicious of urgent emails requesting information and never open attachments you aren’t expecting even if it’s from someone you know.

For example, within hours of a hurricane, you receive an email from the Red Cross asking for a donation to help the victims. This email is most likely a high-profile phishing scam that receives media attention and is on the forefront of peoples’ minds. These scams are effective because they rely on your emotions and compassion.

If you receive an e-mail with your bank’s name and e-mail address, explaining that for security reasons, you have to click on a particular Internet link and log in to your account to update your settings. You should delete the email without taking any action, contact your bank through known channels to either ensure credibility or report it to your bank as SPAM. Financial institutions including Commonwealth Bank WOULD NEVER ask for personal or account information via email.

If you receive a message to view a file or video on a social networking site and from someone within your network (a trusted source), it is still NOT safe to open the attachment. Criminals are avid fans of social networking sites. They hijack user accounts to send phishing invites to an account holder’s entire contact list. They post poisoned links to a variety of malicious sites, and send credible emails with malicious links, abusing the trust that friends normally share. Some creative criminals have tailored messages to appear to come from the social networking site itself, designed so that users will divulge their login credentials or download a Trojan.

No matter how much security technology you implement, you can never get rid of the weakest link – the human factor. A social engineer is someone who uses deception, persuasion and influence to get information that would otherwise be unavailable.

If you receive an e-mail (or more recently a phone call) from an alleged Microsoft support person saying that your computer is infected by a virus and suggests that you install a tool available on their Internet site to eliminate the virus from your computer. You should NOT click on the link even though the email looks official and has the legitimate support@microsoft.com email address. Email spoofing is e-mail activity in which the sender’s address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source.

You could still end up at the malicious site and potentially load malware on your computer or network. If you are unsure whether a link you received in an email is safe, it is not safe to copy and paste the link in the URL section of your web browser.

For example, out of these six web addresses, the “whitehouse.com” is phony because any official U.S. government web site will end in .gov and not .com.

http://www.usa.gov
https://cio.gov
http://www.ssa.gov
https://www.ssa.gov
http://www.fdic.gov
https://www.whitehouse.com