Don’t be a “phish.” Learn as much as you can about malicious email. Teach your employees (and your children at home) to think before they let their curiosity overcome their caution and knock on the door to that scam web page. Remind them never to click on that innocent looking attached .jpg file. The benign .jpg file extension could actually be a covert .exe or a .zip file. Opening that file could call up a malicious site leading to a nightmare of consequences. It is known as phishing.

Anatomy of a Phishing Scam

The Fake Web Page

Phishing relies on people’s natural curiosity, attraction to a bargain (or free) offer, or simply fear that someone else has hacked into their online banking, PayPal, IRS accounts. The hacker sends an email that appears authentic, complete with logos, and other realistic looking links that one would expect. The text of the email could include a fake offer, story, or warning to lure the victim into clicking on a link or calling a phone number.

The Exploding Attachment

This scam might be an email from someone the victim knows from Facebook. It has a cheery message like “I found this great classic photo of the Beatles. Check it out!” The photo file is labeled “The Fab Four.jpg,” and looks innocent. It’s real title is “The Fab Four.jpg.zip.” The .zip extension is hidden, because your system likely hides real file extensions.

Click on that attachment, and all kinds of bad things can occur. Your computer could be instantly infected with malware that harvests your email contacts to further propagate itself. In fact, the original email was likely a result of the Facebook friend’s hacked account.

Spotting the Fake Email

Typically, the phishing email includes a message that the user account has either been hacked or frozen. The telltale signs of a phishing email include:

• The emergency message. The email encourages the user to correct the problem immediately and “verify” the account information. The PayPal scam currently going around capitalizes on the victim’s insecurity and worry that the Internet really isn’t private or secure. It typically contains a message that reads, “We have noticed suspicious activity on your account. Please click here to review your recent transactions.”
• Hinky-looking links. The links in the email might look real, but hovering the mouse cursor to reveal the URL will reveal suspicious plain-language words along with lengthy coding in the address. Say the email purports to be from PayPal and says that the account has been frozen. Log into the account as usual to see if that urgent message appears on the account. (Chances are it will not, in which case the email is a scam.)
• Free stuff too good to be true. Beware of emails offering high-dollar coupons “limited to the first 100 people” who “click here.” Click there and go to another fake website, where the victim offers up a credit card or other personal information.

If it still looks real, it probably isn’t

The tie-breaker is this: PayPal, commercial banks, the IRS, nor any other reputable online financial institution never send requests that customers verify account or personal information. PayPal never sends attachments with customer notifications, and the IRS doesn’t initiate contacts with taxpayers by email. When in doubt, check it out. Report suspicious email by logging on to the affected site and following their instructions. For example, PayPal asks that customers forward suspected scam emails tospoof@PayPal.com.

Looking for additional help in the area of cyber security? Sterling Technology Solutions is the trusted choice when it comes to staying ahead of the latest security threats, information technology tips, tricks, and news. Contact us at (704) 271-5001 or send us an email at inquiries@sterling-technology.com for more information.