Phishing: The Pandemic in Your Inbox
Not to diminish the real suffering of the effects of COVID-19, I want to bring to your attention a business pandemic that affects all email users: phishing. A pandemic is defined as occurring over a wide geographic area and affecting an exceptionally high proportion of the population. Phishing is definitely pandemic in nature and is not only prevalent in your email inbox, you’ll find it on spurious websites, on the telephone, and in text messages.
This is how we define phishing: the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Why Phishing Works
Why does a bank robber rob a bank during business hours? Because there are humans there that make it way easier to access vaults than doing it outside of business hours. In a similar way, our technology security systems are pretty hard to get around, but we as humans can easily provide access if we are so lured.
The bad guy attempts to trick us into giving him access to our information, and when we give it to him he then uses that information for nefarious purposes and to trick others into giving up their information. It is a little bit like an infectious disease, infection isn’t intentional and can pass along without us even knowing it.
What’s at Stake
If we do get phished the stakes range from embarrassment to the complete loss of your business. How many times have you got the message from a friend that says, “Don’t open anything from me!”? And you said to yourself, “I’m glad that’s not me!” And you’ve heard of your friend’s acquaintances who paid big ransom money to get their data unencrypted.
We don’t want any of these things to happen to you, micro businesses have enough struggles as is.
Sadly, it has come to this: do not assume that any unexpected communication is the real deal; be cognizant of what is normal communication and what is not.
Let’s review the various types of communications you might receive in a day and what to watch out for.
Email is the least expensive, most easily hacked, and most valuable asset to the bad guys. I could explain why, but you are probably already bored, so I won’t; just believe it. Be wary of email from anybody that you are not expecting an email from.
The most important thing to be careful with are attachments and links. If someone sends you an attachment or link to click on, and you weren’t expecting it (no previous communication suggested it was coming), be on high alert. One option is to simply delete the email, especially if you don’t know the person or entity. If it is coming from an individual you know, then you could reply back to confirm, or if you want to be extra sure, phone the person and ask them if they sent the email in question.
What if it looks legitimate? Then what? Inspect the display name and email address, and inspect any links in the email.
It is very easy to pretend to be somebody you are not over email. It is like someone putting a name tag on their shirt with your name on it, but anybody who knows you will spot the fraud. In an email, on the “From” line, you will usually see the name of the person it is from and the email address of that person in angle brackets, like this:
Grant ZoBell <grant@plutomicro.com>
In the example above, the display matches what you know about the sender. But if you see something like:
Grant ZoBell <info@123abc-nonsense.biz>
That, my friends, is phishing. Delete it.
Perhaps you’ve inspected the From address, and it looks good, now it is time to inspect any link in the email itself. You can reverse these two steps, should you choose. To inspect a web link in an email, hover over it with your mouse cursor, and the actual address the link will take you to will pop out, or if you are using webmail, it will appear in the bottom bar of your browser. This is more difficult on a phone; to inspect the link on a phone, tap and hold the link and preview will popup; however, if there is any doubt, just wait until you are at your computer to inspect the link.
What you are looking for, when you inspect a link, is that the link matches what is written in the email. Say you receive an email asking you to check out an Amazon store item, but when you hover over the link the website is http://nothingresemblingamazondot.ca; that is phishing.
Here is an example of the two items to inspect we have just reviewed.
First, the displayed From address doesn’t match where the sender’s actual email address. Second, the Get Started link isn’t going back to an apple.com website.
Finally, if you get an inquiry or request in an email that isn’t normal, verify it another way, especially if there is money involved. Make a phone call or walk down the hall and ask somebody, or ask your I.T. service provider. One of the more common email frauds is where the bad guy pretends to be the boss and they ask the bookkeeper to make a strange payment. The bookkeeper thinks it is weird but doesn’t want to question authority, so they make the payment. There is no harm in double-checking weird.
Lastly (I know you thought we were done at “finally”), if you clicked on something or opened an attachment, and nothing happened, or you think you might have just got phished, don’t panic. Call your I.T. service provider and have them review the email in question.
SMS/ Texting
Text phishing is becoming more and more prevalent. It is pretty hard, but not impossible, to spoof a cell phone text, but that doesn’t stop people from spamming a list of phone numbers with a lure. Don’t click on any links in a text that isn’t from somebody in your address book. Don’t click on any links to weird offers, package notices, received money, or threats.
Phone Phishing
Phone phishing is when you get a call from a person or business that you are not familiar with, and the person on the other end asks for private information about you, your business, or somebody else in your business. They may also claim to be from an organization that you are familiar with, such as Microsoft or the Canada Revenue Agency, and they may claim some sort of threat. First off, don’t share private information over the phone about yourself, and especially not someone else, if you are at all unsure about the caller. Don’t go to any website that they suggest or make any changes to your computer at their request. If you feel like the caller is legitimate, ask for the name and organization, hang up, Google search their information, and call them back.
There are no legitimate threats that can be made on the phone that can’t be made via email or snail mail. If you don’t recognize the caller, ask them to send their information in an email. You also check to see if the caller is fraudulent at this Canadian government website: Canadian Anti-Fraud Centre (antifraudcentre-centreantifraude.ca)
Also, there is no reason Microsoft is going to call you about your computer problems. If you are worried about a computer problem, call the I.T. service provided that you trust.
If the caller is threatening physical harm to your or anyone else, hang up immediately and call your local police department.
Conclusion
Email, SMS, and Phone phishing are the three primary ways people try to phish for your information. There are other ways, and if it feels phishy, it probably is. If you want to know for sure, send an email to service@plutomicro.com.