Phishing attacks come in all shapes and sizes. Sometimes it’s an email from a stranger pretending to be a corporate executive or someone you know, a social media post inviting you to click a link, or an instant message from a “friend.” And sometimes it’s a website designed to fool you into offering up your login credentials or other confidential data. These sites can be very convincing, often taking you to the legitimate site it is spoofing after you hand over your credentials. Other times, not so much. Here’s a cautionary tale that I experienced just last month.
I don’t know about you, but I’ve seen far too many emails and received too many phone calls from credit card issuers telling me an unauthorized purchase has been made in some shop thousands of miles from my home, often in an exotic location, and the company wants to know if it was me. Of course, not I say, and a new card whisks its way to me. When I get it, there’s a sticker with a URL on the card telling me where I need to go and validate the card. It just happened again.
This time, however, I wondered what would happen if I did a web search on how to validate that specific bank’s credit card. Sure enough, the first listing was for a look-alike URL that took me to a phishing site that had the bank’s logo and a box for me to put in my name, card number, birthdate, and security code from the card. It was fraudulent, of course, but talk about brazen phishing attempts, this one was off the charts.
I could see immediately that this was not from the credit card, even though it had the right logo, colors and ads. The text read “You know why you’re here. Just put in your data and validate your card.” Really? Does your credit card vendor use that kind of language with you?
There are often other tip-offs that a site is fraudulent, but if you have any questions or concerns, the best advice is to call the company (never use a phone number from a questionable website) asking for your information and verifying the URL before submitting any private data.
Two days after this experience, I received an email from a different credit card issuer telling me that card number was used at a Sprint retail outlet. Sprint is not my cell phone carrier so I knew another card number had been compromised. The card provider knew as well and rejected the purchase before I called. Incidentally, it’s a good idea to sign up for your credit card’s service that tells you when a purchase is made without the physical card being used.
These attacks can become a two-pronged: first stealing your data and then inviting you to provide even more personal data while trying to repair the damage from the first attack. It’s a virtual Möbius loop of phishing and data theft.
I currently use multiple levels of email security, both at the office and in my home, yet phishing emails are becoming more pernicious and craftier every day, by passing antiphishing software. Many even look better than some of the emails I get from vendors I know are legitimate.
It comes down to this: The bad guys are getting better at their job every day. Often, they know more about you than you know about yourself. Individuals and companies alike must up their game to keep up with the slicker, more professional attacks, be they through email, social media, instant messaging or your favorite cell phone app.
This class of bad guys want anything they can monetize, be your personal and medical data, corporate intellectual property, or access to devices they can use in a bot. If you are not keeping up with the latest intelligence on what the bad guys are doing, you’ll be next. Layered security is essential, but it’s not be all and end all. The best advice I have comes from a pop culture reference from the Harry Potter books: Constant vigilance. That is your best defense.