Looks Legit–How To Not Get Phished

An accountant in a small business office receives an email from her boss: “Please purchase (locally) some gift cards, scratch off the numbers, photocopy and send them to me by email. They are for giving to a person in need. I need this done immediately.” Everything looks believable including the salutation and the signature. But the request is unusual. The boss has never asked this before, and the accountant is not the person who normally would be making local purchases.

With email, lose your trusting nature

The above is an example of a phishing email scam. Phishing is a step beyond simple forging. It’s an attempt to use the appearance of credibility to fool the recipient into cooperating with the attacker. Messages are crafted to look like they come from known sources. They may use familiar corporate logos and colors, the names of others at your workplace, the From: address may even be in your address book. In the case above, the From address was familiar, but the Reply-to address (where a reply to the message would be sent) was an unknown party.

Because email phishing is one of the most common attack methods today, every person on the staff of any organization is a key part of the corporate defensive strategy. One slip could invite malware or ransomware into the whole network.

Phishing attacks get more sophisticated every day. As a user of email in a workplace, you need to up your game accordingly. Here are the top four tips on how to avoid getting phished.

1. Check your own awareness

Common phishing emails appear to be messages from co-workers, shipping company tracking numbers, invoices from known suppliers, and account notifications from online stores and financial institutions. Keep your guard up. You may not normally be a suspicious person. However skeptical you normally are, be more wary than usual when working with email. It’s a shame, but you must treat everything in your inbox as a potential threat to your organization.

Any visible part of an email can be faked. The From: address, the signature, familiar names and logos don’t prove the origin of the message. In a phishing message, all the dirty work is hidden. No matter how innocuous it looks, always use secondary means to verify a message’s authenticity.

2. Check clickable links

One giveaway of a phishing attempt is deceptive clickable links. On most computers, if you place your mouse pointer over a link but do not click, the actual destination address will be shown in a tool tip (pop-up text.) If the visible destination and the tool tip don’t match, you should become suspicious. For example, the link as shown in a message appears to be www.computassist.com, but when you hover your mouse over it, the tool tip displays svr3.doogielt.cn. This is a huge red flag – don’t click!

Check link spelling very carefully. For example, can you tell the difference between paypal.com and paypaI.com? (Depending on your browser’s default font, they may appear the same. The second link has a capital I in place of the l.)

If you receive an email asking you to update your account information on a frequently used site, don’t click the links in the email. Use your bookmark to that site instead.

Next time we will look at two more tips to keep you among the un-phished.

Who wants one more password?

Passwords, ugh! Who wants one more password to remember? Passwords are probably the best example of the tug-of-war between security and convenience. “You need long, complicated passwords!” “No, I need passwords that are easy to remember and quick to type!”

Good Passwords

…are just one layer in what should be a defense-in-depth. But bad passwords are, well, a wide open door. When listings of user accounts are stolen and cracked, then found online, security researchers get a glimpse into what people favor for passwords. Here are the top dozen:

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou
  11. princess
  12. admin

As you can see, these are all terrible passwords, but terribly easy to remember. I’m afraid most people are careless about password safety.

But it’s not that hard to be an excellent password user! Two simple changes to your password habits will have you at the top of the good list!

Use Passphrases

For a long time, security experts recommended using numbers, symbols and changes in letter case to make passwords complex. Today, computing power is available in unprecedented quantity, and most short passwords, no matter how complex, can be cracked in minutes. So drop the hieroglyphics, and start using simpler but longer passphrases. These are easier to remember and to type, and more secure, as long as they are over 12 characters long. You still don’t want to use any phrase that is in common usage. “Mary had a little lamb” is a long passphrase, but still a terrible choice as it is in common usage and thus likely to be among the phrases hackers will use to test your security. Change it up a bit.

Use a Password Manager

It is strongly recommended that you use a unique password for every account you have. It would be impossible to remember them all. So let a password manager app do it for you. The password manager securely encrypts all your account information, and you unlock and use it with one master password. Managers are portable between all your devices, so your credentials are always at the ready. For an installable application for your computer, tablet or phone, I recommend Keepass. For a web application, I recommend Bitwarden.