Published April 18, 2011
We could be on the verge of the largest mass “phishing” spree in U.S. history.
Earlier this month, Epsilon, one of the world’s largest suppliers of marketing e-mails, was attacked by hackers in a massive data breach --affecting millions of consumer accounts at companies like Verizon (V), Capital One (COF)and Best Buy (BBY).
Almost every American consumer is, and has been, at risk of phishing attacks. But the threat has never been more real or dangerous than after the Epsilon breach.
First, what is phishing? Phishing, spear phishing and SMShing are all names of social engineering attacks in which a hacker tricks the victim into thinking that he is a legitimate person, company or government agency in order to ascertain some type of private or privileged information - e.g., passwords, credit card numbers, proprietary information, etc. In the past, phishing has been limited primarily to e-mails, but today phishing also encompasses text messages, IMs and social network messaging via sites like Facebook, Twitter and LinkedIn.
The coming Epsilon phishing attacks could take many forms. They could target customers’ account information, credit cards, banking information or Social Security numbers. Furthermore, they could arrive via e-mail, text message or social media connection.
Regardless of what form these phishing attacks take or what precisely they target, there are several ways the average consumer and business person can protect themselves from becoming another victim:
1.What to Look For: Know the signs of a phishing e-mail. Each year, it gets harder to identify fraudulent emails from real ones because of the booming “crimeware” market. However, there are some basic rules that still apply:
a. Does the e-mail include grammatical or spelling errors?
b. Does it appear to be written by a non-English speaker?
c. Does it make some type of urgent or alarming claim? For instance, “if you don’t act now your account could be canceled or penalized.”
d. Does it provide a way to verify the source? A 1-800 number? A real corporate Web site?
2. Browser Settings: Change your Internet browser settings to the highest level of security. All the major browsers (Internet Explorer 9, Safari, Firefox, Chrome, etc.) provide enhanced security settings, including what is known as “reputation management.” This means that the browser can identify bad Web sites before you click on them.
3. Update Anti-Virus: Make sure your anti-virus, software and other applications (from iTunes to Adobe Reader) are kept up to date with the latest software and security upgrades from the developer. These updates often provide new protections against recently-discovered computer viruses and malware, and will go a long way toward protecting your system.
4. Don’t Use E-mail: Never provide important account or financial information to another party via e-mail. No reputable company will ever ask its customers to do so, and as a rule of thumb, you shouldn’t even send passwords or account information via e-mail to a spouse or employee--if your computer is ever hacked, that information can be harvested.
5. Check the Link: Malicious links meant to install spyware on your computer or smartphone can show up in e-mails, tweets, Facebook messages or text messages. Cyber-criminals have become experts at replacing letters, numbers or other characters with almost identical substitutes to create a fictitious web site address (for example: bank0famerica). Now that the International Corporation of Assigned Names & Numbers has approved the use of more international domain names and non-Latin alphabets in the web addresses, the potential for “spoofed” Web sites is significantly greater. Link shortening services like bit.ly and ow.ly also make it easier for consumers to fall victim to bad Web site links.
6. Check for Encryption: Any legitimate Web site that requests personal or financial information will always be encrypted. You can tell a Web site is encrypted by looking at the address bar: an encrypted site should begin with “httpS,” as opposed to just “http.”
7. Beware of Downloads: Just as links can be used to install viruses on your computer, so too can the files you are asked to download. These files may appear in an e-mail as any number of file attachments you are familiar with (such as .PDFs, .JPEG), but they are actually masking malware that is meant to steal information. Scanning with anti-virus software or simply not downloading attachments from unknown sources can keep many of these programs off your computer.
8. Protect Your Phone: Consumers need to remember that as phones become increasingly like mini-computers, they are subsequently at greater risk of being hacked. Computer viruses, spyware and other nasty codes can be installed on your smartphone just as easily as the desktop. Once they’re embedded on your phone, they can record your account information and financial data just like they would on your computer. Don’t be tricked into thinking that you’re not vulnerable on a smartphone; think carefully before clicking on a Web site link or downloading an attachment from someone you don’t know.
Hackers and phishers are becoming smarter and more creative every day, finding new avenues of attack and new ways of disguising their intent. In the ever-evolving world of cybersecurity, it is becoming harder for the average consumer to keep up. By taking some sound advice, using common sense and maintaining an updated anti-virus program, those vulnerable to the data breach can keep themselves one step ahead.
Michael Gregg, CISSP, CISA, CISM, is an ethical hacker, cybersecurity consultant to companies and government agencies, and the author of over a dozen IT security books. A well-known speaker and security trainer, Mr. Gregg is COO of Superior Solutions, Inc. in Houston.