While in Colorado on a recent trip, I recalled many a great meal eating cutthroat trout, which is native to that area. The memories took me back to the fun of fishing in some little stream and the fight a little fish can put up before being reeled in. Ah yes, fond memories that get better with each passing decade.
However, in this column we discuss a different kind of catch that even has its own spelling: phishing. In this application of the term, you and I are the ones being pursued and unfortunately often caught.
It is estimated phishing occurs through email 80 percent to 90 percent of the time. Hackers use phishing to discover confidential information such as login credentials, personal identifiable information, private health information or anything that might be useful to a cybercriminal.
The same thing happens over the phone but is called vishing. It also happens over texts and is called smishing (as in SMS texting).
Emails can include links that take the user to infected websites that infect your device or attachments and, when opened, install malware. They can be disguised as Microsoft Office documents, PDFs, JPGs or virtually any legitimate looking file.
They can appear to be from trusted sources, so confirming the real email address (Mom@gmail.com versus Surprisefirstname.lastname@example.org) is a positive step before you click. However, email addresses, like websites, can be hijacked. So that isn’t the final step.
If “Mom” doesn’t usually send you attachments or even emails, pick up the phone and ask her if she sent you the email you are looking at and if she included the attachments and/or links. She’ll appreciate the call. If she says she didn’t, then delete the email immediately.
Use that same methodology whether the email is from your boss or your client. While your boss may not appreciate a call from you to verify his email, he will really be unhappy if you bring rootkit into his network and cause a data breach.
Your boss should appreciate your protective attitude.
While I’m at it, don’t send or receive emails that have been forwarded. Forwarding something that is infected cannot only infect your family and friends that you send it to, but also all that they send it to and so on down the line.
The most popular phishing email subjects look legitimate. Referencing things like “Breach Notification” or failed delivery attempts (such as UPS or FedEx), password expiration, and employer references, such as messages from human resources, these emails are effective against us because they strike a note of fear.
Hackers play on our basic emotions like fear, greed, curiosity, lust, etc. The most successful scams of all time include IRS and FBI impersonations because communication from them strikes a chord within each of us.
Legal authorities, such as the IRS and FBI, will not communicate with you by email or phone. The IRS will mail its communications, and the FBI knows where you are and will come to you if needed. Don’t be fooled over the phone, and definitely don’t be fooled through email.
If you feel you have been hacked or a cybercriminal has attempted to hack or scam you, call your local law enforcement (city police or county sheriff) immediately.
Then go the FBI’s Internet Crime Complaint Center website to report the incident at https://ic3.gov. Stay involved and follow up with the authorities.
Once you become a live target to hackers, it is hard to remove yourself from their spotlight. Make every effort to avoid their attention to begin with, and think before you click.