All of us suffer from e-mail overload. Our inboxes fill daily with a clutter of “important” mails, so it is often hard to determine which emails are legitimate, and which are phishing emails that have been designed to steal your personal info or inject malware into your computer.
I am a member of the Identity Theft Resource Center and they often provide me with valuable information and resources to combat phishing scams.
In a recent report they provided some shocking statistics, about the success of phishing attacks worldwide:
- For instance daily, worldwide, one in every 2000 emails is a phishing email, meaning around 135 million phishing attacks are attempted every day!
- Many of the phishing attacks try to trick you into a clicking a link that takes you to a fake webpage to fool you into entering personal information – it’s estimated that an average of 1.4 million of these websites are created every month – that is over 46 000 phishing websites that are created daily – over 1900 every hour!
- Last week the Identity Theft Resource Center reported a new fake Netflix email about a suspended account. With many South Africans now moving away from satellite and cable subscription movie channels like MNET and DSTV, and subscribing to NetFlix, this poses a risk.
- There is a new fake Amazon email asking you to verify your account. Just think about this for a moment: It is very easy to purchase books, DVD, and thousands of other goods from Amazon, just at a click of a button. (you can even get a parrot to do it!) If phishers can get access to your Amazon account, then they have access to your credit card details!
- Of course don’t forget the “classic” PayPal phishing email about unauthorized/suspicious account activity. I make use of PayPal and recieve several of these fake phishing mails every month.
According to a Verizon cybersecurity report, an attacker sending out 10 phishing emails has a 90% chance that at least one person will fall for it! Considering the fact that there are a little under 2000 personnel working at Tygerberg Campus, daily there is a chance that at least 20 people will be caught by phishing scams!
Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations, like the university. Instead of trying to get banking credentials for ordinary consumers, the attacker may find it more lucrative to target an enterprise like Stellenbosch University.
Spear phishing attacks can extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a pay increase, that a recipient may have just received or sending a malicious attachment where the filename references a topic the recipient is interested in.
What can we do about it?
A good general rule: Don’t give out personal information based on an unsolicited email request.
Learning to recognize and avoid phishing emails and sharing that knowledge with your colleagues, is critical to combating identity theft and data loss.
Here are a few basic tips to recognize and avoid a phishing e-mail:
- It contains a link. Scammers often pose as the IRS, financial institutions, credit card companies or even tax companies or software providers. They may claim they need you to update your account or ask you to change a password. The email offers a link to a spoofing site that may look similar to the legitimate official website. Do not click on the link. If in doubt, go directly to the legitimate website and access your account.
- It contains an attachment. Another option for scammers is to include an attachment to the email. This attachment may be infected with malware that can download malicious software onto your computer without your knowledge. If it’s spyware, it can track your keystrokes to obtain information about your passwords, Social Security number, credit cards or other sensitive data. Do not open attachments from sources unknown to you.
- It’s from a government agency. Scammers attempt to frighten people into opening email links by posing as government agencies. Thieves often try to imitate the IRS and other government agencies.
- It’s a “suspicious” email from a friend. Scammers also hack email accounts and try to leverage the stolen email addresses. You may receive an email from a “friend” that just doesn’t seem right. It may be missing a subject for the subject line or contain odd requests or language. If it seems off, avoid it and do not click on any links.
- It has a lookalike URL. The questionable email may try to trick you with the URL. For example, instead of www.irs.gov, it may be a false lookalike such as www.irs.gov.maliciousname.com. You can place your cursor over the text to view a pop-up of the real URL.
- Use security features. Your browser and email provider generally will have anti-spam and phishing features. Make sure you use all of your security software features.
Opening a phishing email and clicking on the link or attachment is one of the most common ways thieves are able not just steal your identity or personal information but also to enter into computer networks and create other mischief.