aNewDomain.net – Phishing is one of the most common ways criminals hijack computers and networks. The danger is real, big and growing. To combat this, the Pentagon announced a massive expansion of its cyber-security unit. The goal is to protect networks from being hijacked by foreign powers and cyber criminals.
But how can you protect your network and your data?
One of the most successful methods of getting data and network access from someone is to socially engineer an attachment with phishing techniques. Phishing is a term that describes what happens when a perpetrator masquerades as a trustworthy entity.
This happens a lot. The victims are among some of the biggest security players in technology.
In 2011, RSA was hijacked and lost data when a clerk opened an infected spreadsheet that was in his spam folder.
One look through your spam folder will give many of the more obvious examples of phishing attacks. A typical one you might’ve seen is an email from the address of friend, in which the friend claims they stranded overseas and desperately needs you to wire them money. Or it could be from a prince of some foreign land who claims to have money for you — or an email from a so-called secret Facebook admirer.
Some of the more insidious and successful phishing scams load a virus onto your computer, which works quietly in the background stealing credentials. The RSA phishing scam used a PDF exploit to load data onto the user’s PC.
A search for the phrase “phishing scams” returns over three million results. The first two results are the Wiki page for Phishing and a Microsoft Safety and Security Center page on how to recognize phishing emails, phone calls or links.
I would add to that list: phishing SMS messages, Twitter Direct Messages, Facebook messages and, really, any other platform that has a critical mass of users that can be targeted..
How to protect yourself
Most importantly, keep all software up to date. That means patching the operating system and the software. Security experts recently revealed that Java has a huge vulnerability – so users might opt not to use it. Keep an eye on such security news.
If you get an email from a your bank asking to update your credentials – even if it looks legitimate – never click on the link. Visit the actual website. In fact, carefully mouse over the link to see at the bottom of your browser where the link will take you.
If it’s truncated, just right-click the link and past it into a notepad document and see where the link wants to direct you. Odds are it’s not the bank.
Also, look at the domain and sub-domain to determine legitimacy. For example techpageone.com is owned by Dell and a dot before that also means it’s owned by Dell, like webpage.techpageone.com. But www.webpage/techpageone.com is not owned by Dell. It’s close — but the dot indicates a sub-domain, the slash means it’s hosted on webpage.com.
Big difference.
Remember that phishing vulnerabilities are moving targets. What is effective at prevention today will be obsolete tomorrow. What is a laughable attempt today was an effective one yesterday. The techniques described above, a dose of common sense and a healthy suspicion of even the most seemingly innocuous emails will go a long way to prevent you or your enterprise from becoming just another phishing scam victim.
Mat Lee writes for ANewDomain.net.
well said, Mat.
-RAP, II