What they don’t want you to know…
As we learned in Thank You for Smoking (2005), humans share many everyday concerns like food and shelter. Aside from the 1%ers, most of us undertake some activity to help finance our daily concerns. Some fraction of us make use of the internet for those undertaken activities. And since time immemorial, some of those undertaken activities involve barter/trade/commerce. While some of those dealings are equitable, others are more-accurately labelled schemes. So it should be no surprise that the internet has dark alleys and red light districts. And as a core communication means on the internet, email is not isolated from the schemes carried out in those dark alleys. Thus, it is incumbent on all us to recognize these schemes that seek to prey upon us.
Within the vastness of online schemes, phishing attacks specifically try to trick people to divulge details that have value to the schemer. Those details can be email credentials, which can then be leveraged to carry out more schemes. The details may be sensitive data from a business, that might be valuable to their competitors or financial markets. The details can be bank or credit card info that’s more directly adding to a schemer’s bottom-line. Or the details might simply provide a toehold for future schemes.
Asked how to identify phishing, many answer “they’ll know it when they see it”. Unfortunately, that criteria is not helpful to anyone else. Thus listing some common traits is helpful. Firstly, remember that the goal of the scheme is to trick you by any means necessary. Concealing their true identity is almost a given. So a phishing email will never be sent from the actual schemer’s email address. The actual source of the email is most often some prior victim, at least until that user’s email provider detects the abuse and suspends the compromised account. But the schemer often tries to conceal the first victim’s email address, to make the phishing email appear more legitimate. Thus hovering your mouse/cursor over the sender may reveal that “WHITEHOUSE ADMIN” was sent by “sales@mydomain.com”. Microsoft does not send unsolicited tech support notices to users. A second common trait is creating an appearance of need. Few recipients would open an email with a subject “Sky is blue” as opposed to “URGENT-Action Required”. A third common trait is creating a sense of trust. By using a friend’s name or “IRS Agent” to hide an email’s actual source, the schemer tries to trick you into taking their bait. Copying boilerplate from legitimate messages is another way they try to feed that sense of trust. A fourth common trait is spurring you to act hastily. This Picaso may be priced to sell, but why is the paint dripping on the floor? Bold actions sometimes save the day IRL, but in cyberspace it’s the fasttrack to extinction. Pause, breathe, contemplate, and then act. It’s the only way to be sure.
Sometimes, despite our best intentions, a hyper-caffeinated finger and overly-sensitive trackpad conspire to betray our best interests. Before our left hemisphere can form an “oh, sh-“, we’ve fallen for the scheme and given our vital fluids to the void. What then? To start, note (ideally on paper) details about the scheme to include what details you divulged. Next, reset any passwords that you shared on the targetted (legitimate) site and anywhere else that you used the same password. When available, enable MFA (multi-factor authentication) since it can help limit abuse when an attacker knows your password. Inform the organization (legitimate website) of the compromise. When identity theft happens or money is lost, contact local law enforcement and the Federal Trade Commision (https://ftc.gov). Also realize that the info you divulged to the schemer is frequently shared with other schemers. So prepare yourself for things to get worse before they get better.
In the end, we’re all human. Fallible, loving, caring, sharing beings. Striving to meet our everyday concerns. Trying to make it thru the day as best we can. We will make mistakes. Let’s learn from them.