The #1 rule is simple- Don’t click that link!
A phishing email (or text message, or IM) is one sent by a malicious party and designed to trick you into granting that party access to your sensitive data. The scammers who send these emails usually disguise them as something legitimate: your bank, Microsoft, the government. They’ll try to either tempt you or scare you into acting without thinking: don’t fall for it. Stop, take a breath, and think twice. The scam works because the scammers can send out thousands of these messages for free: if even one of them pays off, that’s profit. (That’s also why it’s called “phishing”; it’s just “fishing” with a trick spelling that hearkens back to old-school hacking.)
When you click that link, one of these things will happen:
- You’ll go to sign in, and putting in your password will give it to someone else. Then your email account is gone forever.
- The link is an attachment that puts a virus or crypto-locker on your computer. (If you get a crypto-locker, the only way to recover is via air-gapped backups.)
So, don’t do it. Now, we all know that we aren’t winning the UK lottery, that Microsoft isn’t sending out new XBoxes, that there can’t be suspicious activity on a bank account we don’t have, and that there’s no refund waiting from some obscure store we’ve never visited. We know this, but the scammers aren’t trying to catch you at your best: they’re trying to catch you in a single fleeting moment of distraction.
And they’re good at it! The scammers constantly change their game to get people on their hooks. The scams never stop, and they can sometimes have some of your personal information. Someone called me up with the exact balance owing on one of my cards and demanded that I send the money via Western Union. The scammers are very good at their jobs. It’s how they get paid.
The latest phishing email is formatted to look like the Gmail or Facebook alert that tells you that “your account has been logged in by a different device”, and to “click here to review”.
The variant to this is the addition of “your backup phone number has been changed. If you would like to revert, click here in the next five minutes.” Diabolical. Of course, people will click that link because they’re about to lose their Facebook account or their business GMail access! None of that will happen.
A legitimate Gmail email stating that a new device has been used.
Here is a fraud/spam link that I got this morning, letting me know that Netflix is going to start charging me $70 a month on my PayPal account. WHAT!?! If you look at this on your phone, it looks pretty bad, but a few seconds of checking shows that the email address isn’t the right sender, the unsubscribe link is not from PayPal, and Netflix doesn’t have a 1S service. If I were to click that link, it would end up with a screen asking me to enter my name and password.
As luck would have it, I do pay for Netflix with my PayPal account, and this is what their receipts look like:
So what do you do? Just delete it, or click “flag as spam.” Just don’t click that link!
If you’re interested in dedicated anti-phishing and cybersecurity training for you or your organization, get in touch with us! We offer specialized courses of training that will offer practical experience with mock phishing emails and identify any weak points in your security practices.