Avoiding dodgy emails
Phishing is an attack used by hackers to gain access to private information such as credit card numbers and user passwords.
Phishing is a social engineering attack where targets are typically duped into providing this information directly to false versions of legitimate websites run by the hackers. Personal information can then be used for fraudulent purchases, resale to third parties and even identity theft.
Pictured is a screenshot from a phishing email I recently received from a client who was suspicious.
What would the natural reaction from an account holder be?
“I never sent Nickolas Sims $498 – I’d better click the link and put a stop to this” Of course that sense of emergency may mean you get flustered and click the link and fall for the fake PayPal site. Enter your details and the bad guys have it.
So let’s have a look at the warning signs:
Incorrect recipient address information
The email is addressed to multiple recipients, as if this payment was made by you AND all your friends (I’ve obscured the email addresses for privacy)
The email says “Dear PayPal Customer” – Phishing scams rarely know the real names of its targets and tend to rely on general greetings like Dear user. PayPal know your name and use it when emailing you.
Hyperlinks in email messages should be distrusted in general, but long and convoluted hyperlinks like the one below should cause heightened suspicion.
Normally PayPal resides at the URL PayPal.com. If you hover over one of the links (as shown below) you will notice the link actually goes to a website in .com.ar – that’s Argentina.
No offer of additional information
There is a “Help Centre” link but that link goes to the same website address based in Argentina. In fact ALL links go to exactly the same address!
Warnings from email client
A well-designed email client may detect many of the irregularities listed as well as check for suspicious points of origin (e.g. spoofed emails) and links to insecure servers.
Warnings from web browser
If for some reason you actually clicked on the URL, your web browser might give another warning, alerting you that the URL has already been reported as a forgery, or is not secure.
Most phishing email messages wont contain all of the above characteristics and probably will contain other defining characteristics not mentioned. Phishing is an evolving practice due to its lucrativeness and increased usage by organized crime.
If you receive an email that contains one of the above characteristics then be extremely cautious. If the email is threatening the termination of a service, simply let it happen. No company worth doing business with is going to maintain its records by firing off thousands of email messages to various Hotmail and Yahoo accounts in hopes of reconciling its financials.
How can I protect myself from a phishing attack?
There are several steps you can take to protect your computer from today’s cyber threats. Following the simple guidelines below will help minimise the risk of attack.
- Be very wary of any email messages asking for personal information. It’s highly unlikely that your bank will request such information by email. If in doubt, call them to check!
- Don’t complete a form in an email message asking for personal information. Only enter such information using a secure website. Check that the URL starts with ‘https://’, rather than just ‘http://’. Look for the lock symbol on the lower right-hand corner of the web browser and double-click it to check the validity of the digital certificate. Or, alternatively, use the telephone to conduct your banking and report anything suspicious to your bank immediately.
- Don’t use links in an email message to load a web page. Instead, type the URL into your web browser.
- Check if your anti-virus program blocks phishing sites, or consider installing Kaspersky Internet Security (links below) or other antivirus software that alerts you to known phishing attacks.
- Check your bank accounts regularly (including debit and credit cards, bank statements, etc.), to make sure that listed transactions are legitimate.
- Make sure that you use the latest version of your web browser and that any security patches have been applied.
Protect your identity from phishing attacks
Prevent cybercriminals from stealing your digital identity thanks to anti-phishing protection technologies inside Kaspersky Lab’s Internet security software which leverage lists of known phishing websites, proactive anti-phishing technologies and the latest information from the cloud.
Users of digital cameras and smartphones should be aware that when they snap a picture, personal data may be embedded inside the picture. It’s referred to as EXIF data, and can include the Camera Make/Model, Date taken, GPS co-ordinates, etc.
If that picture is then uploaded to the internet, another person may download the picture and inspect the image data, including your GPS location.
In fact, EXIF Image data was recently used by the FBI and Australian Federal Police to track down a member of the hacker group ”CabinCr3w”.
“According to the FBI, data taken from the picture showed it was taken by an iPhone. GPS co-ordinates taken from the photo also pinpointed the exact Wantirna South street and house where it was taken.”
You can edit/remove this data from your images using EXIF Data Viewer, available on our Downloads page. This allows you to upload pictures to the internet without giving away personal information. Another option is to convert your JPG picture in to PNG format (which does not support embedded EXIF data) and upload the PNG file instead.
With so many passwords to remember now days, and increasing security about how long, how complex, and how often they must be changed – it’s no surprise many of us reuse the same password on multiple websites.
Unfortunately a current trend of hackers is to publicize usernames/passwords obtained from hacking websites, by posting them online for all to see. People have taken the information and logged on to people’s personal sites: taking money from PayPal accounts, replacing dating site profile pictures with pornographic images, and engaging in chats using other people’s Facebook accounts.
Time to make technology work for you.
The following video shows two methods used and recommended by Tailormade IT Solutions to overcome this problem.
By using a fingerprint scanner, you can store a variety of complex passwords and just logon to your PC and/or web sites with a swipe of your finger. A lot of new laptops come with fingerprint scanners, and for other users USB fingerprint scanners are available.
The big benefit of fingerprint scanners are:
- Easy to use.
- Complex passwords replayed with the swipe of a finger.
- Keystroke Logging software is outsmarted.
Keeping a password file stored safely inside a TrueCrypt encrypted vault ensures that you have a backup/reference of them. TrueCrypt supports AES encryption (which is used by the US military to encrypt data up to the top secret level)
How safe is TrueCrypt: Lets look at a real world story.The Brazilian National Institute of Criminology tried for five months to obtain access to the encrypted data of a Brazilian banker suspected of financial crimes without success, before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code.
The big benefits of using TrueCrypt are:
- All passwords are stored securely and can be accessed by remembering one password – the TrueCrypt password.
- As the password file is located on a secure USB stick, it is transportable.
Available for Windows 7 / Vista / XP, Mac OSX, and Linux.
Everyone using USB sticks to transport valuable information should be using encryption – just in case it is lost.
In the news recently, the Dept of Defence has lost a USB drive containing sensitive health information of military personnel and their families. The data was on an unprotected USB drive misplaced by a researcher flying from Brisbane to Canberra on 11 May 2012. Source: Sydney Morning Herald
DONT LET THIS HAPPEN TO YOU !
Tailormade IT Solutions has created a video that demonstrates how to protect your data by creating an encrypted USB stick using TrueCrypt, and shows the error message encountered if someone finds and tries to access the USB.
Tailormade IT Solutions uses TrueCrypt encrypted USB sticks whenever transporting sensitive information.
Be wiser than the Dept of Defence and use it !
Available for Windows 7 / Vista / XP, Mac OSX, and Linux.
Sharing files with family, friends and colleagues is easy, but what if they don’t have the appropriate software to view the content? The solution is to send them a PDF file rather than a Word, Excel, Photoshop or other file types.
Although software to create and edit PDF files is quite expensive, you can install a virtual PDF printer for free. I use PDFCreator, which lets you choose the Print command in just about any application, and rather than printing to a piece of paper, you end up with a PDF file saved on your hard drive, ready to send.
Here’s how easy it is..
User Guide: http://www.pdfforge.org/content/create-pdf Download PDFCreator