Sophos Cloud Optix
You’ve heard of phishing.
It’s where crooks “fish” for personal details you wouldn’t give them if they asked outright – information such as date of birth, ID number, login name, password, bank account number, SSN, and so forth.
Most phishing happens by email, and the process is surprisingly simple and effective.
The crooks send you a lure, such as free stuff (like an iPhone), or a warning (like suspicious activity on your bank account), or a scare (like an invoice for an iTunes purchase you know you didn’t make).
The email’s goal is to get you to take action right away…
…and it handily provides a clickable link for the purpose, which takes you to a signup page (to register for the iPhone), or a login screen (for internet banking), or an account summary page (to contest the fraudulent purchase).
If the cybercriminals have done their homework, the web form that appears will look spot on, because the crooks usually rip off the layout, the logos and the JavaScript straight from your bank, or from iTunes, or wherever.
So you willingly, if imprudently, enter your personal details, your password, and so on, and click [Submit].
Only then do you find out that you just submitted the web form to a bunch of crooks instead of to the real site.
With a bit of care, you can usually spot a fake web page fairly easily, for example because the website name in the address bar will be wrong, or the web page will be unencrypted (no padlock), or simply because it “looks a bit dodgy.”
But here’s an even easier way to protect yourself: don’t click login links in emails in the first place!
💡 LEARN MORE – PHISH 1: iTunes ►
💡 LEARN MORE – PHISH 2: Online banking ►
💡 LEARN MORE – PHISH 3: Bitcoin ►
Images of Christmas tree and Advent calendar courtesy of Shutterstock.
What seems obvious to regular readers of Naked Security, may not be so to non security folks. We can preach Internet security constantly, but people (and even relatively sensible people) will click on the link from their “network administrator” to verify their e-mail login. Are big corporations doing a better job of telling their employees about phishing attempts?
I also wanted to add that most people are unaware that they can preview a link without clicking on it. Even when I try to teach this, I get the feeling that most people don’t understand why you would do this, and why an address like megabank.com.ru might not be the real site. Maybe it’s easier to click than to take time to examine the link and figure out what it is.
I note that the easiest way of getting to this article is by clicking the link on NS’s email.
Well, it’s *a* way of getting here 🙂
But our newsletter links only take you to the article. It doesn’t take you (directly or indirectly to sneaky stages) to a login screen where you would expect to be asked for a username and password…if the link dropped you at a page that said, “To read this article, please authneticate using your {Facebook, Twitter, Whatever} account,” then you should Stop, Think, Don’t Connect!
When logging in, take yourself to the relevant login page via a mechanism that you yourself control directly, e.g. using a bookmark or by typing in the URL yourself. That way, you’re less likely to be misled…