Years ago I took on the Community Watch task of interfacing with the Orange County Sheriff’s Office for my neighborhood. That means I get a daily email on criminal or suspicious activity reported to the Sheriff’s Office. Over the past year, those reports have been increasingly filled with Internet and phone scam warnings.
Internet and phone scams, collectively known as phishing, lure victims into giving away sensitive information through claims that sound legitimate (like bait used in fishing). Those who take the bait may suffer identity theft and/or financial loss. In 2009, Consumer Reports estimated that phishing cost nearly $500 million per year in the United States alone. And that was seven years ago!
Phishing is different from marketing spams. Spammers try to trick you into buying something. In phishing the goal is to acquire sensitive information such as passwords, account numbers, or even Social Security numbers. Spammers may want your money, but they don’t care about your sensitive information. Both are bad, but being caught by a phish can have long-term ramifications.
There are two frequently reported phishes to the Sheriff’s Office. One is a phone call from the IRS saying they have filed a lawsuit against you. Another is a call from “the Microsoft Service Center,” claiming your computer has been hacked and they need to fix it. The first phish wants your Social Security number, the second wants your password. If you get one of these calls, hang up!
Most of us aren’t cybersecurity experts and follow practices that may be making us vulnerable to phishing.
Online phishing is made easier by the ubiquity of email and web surfing. Most of us aren’t cybersecurity experts and follow practices that may be making us vulnerable to phishing, like creating passwords that are easy to remember instead of ones that are hard to crack. Because so many people use the same passwords for multiple purposes – such as email and bank account – acquiring your password can be a gateway to other sensitive information like bank and credit card numbers, possibly loan or credit history reports that contain your SSN.
Malware is another form of online phishing. Malware, distributed through attachments or malicious websites, is software specifically designed to gain access to or damage your computer without your knowledge. It takes many forms including spyware, where it feeds information found on your computer back to the phisher. Ransomware can take remote ownership of your computer, locking you out entirely until you pay a ransom to get it back. Malware Bytes, https://www.malwarebytes.com, is free software that will help protect you.
The best protection against phishing is to simply hang-up or to delete the email. But sometimes the phish is so devious it’s not immediately recognizable. Here are some best practices to help you know when you’re being phished:
▪ Don’t open attachments if you don’t know the sender or if the email seems odd.
▪ Be judicious about opening websites. The Web of Trust provides a “reputation” graphic to steer you away from sites known to be fraudulent: https://www.mywot.com/
▪ Use complex passwords: no dictionary words, 10-plus characters, and a combination of letters, numbers, and special characters. Never use your birthdate or other easily found information.
▪ Don’t re-use passwords for sensitive accounts like bank accounts. A password vault like Last Pass will store complex passwords until you need them.
▪ Don’t unsubscribe from mailing lists that you don’t know how you were subscribed to.
▪ Learn to look for URL spoofing, also known as forged links, before you click. When you hover your mouse over a link (don’t click on it!), you may see a different URL down on the bottom left corner of your browser window.
▪ Use the same hover method on email addresses. Hover over the address in the “from” field to make sure the domain name (@google.com) is the same as the one you see.
▪ Update your software, including web browsers, as soon as new versions become available. Software developers do their best to fix vulnerabilities, so make sure you take advantage of their efforts to keep you safe online.
Remember, legitimate organizations like your bank and the IRS, will not ask you for account numbers, passwords, or any other sensitive information over the phone or online. For more tips and tools, see Stay Safe Online at: https://staysafeonline.org/stay-safe-online/.