give a man a phish…

There’s an old quote, of course…

Give a man a fish and you feed him for a day.  Teach him to fish and you’ve fed him for life.

Today’s topic is about phishing, the activity in which a con artist sends a fake email to others and convinces them into giving up their credentials, credit card details, etc.

What They’re After

It’s almost always about money. They want the login details for your checking account or your credit card. If they can get your email account’s credentials then they’ll search your emails for links to your checking account or credit card. If they get your social media account’s credentials then they’ll know the people who trust you and they’ll send them email as if they’re you, conning your friends into clicking these sorts of links.

041017-Phishing-Activity-minTrust

If a stranger on the sidewalk asked you to put your wallet into a magic hat, you probably wouldn’t. You don’t trust him. So when a stranger on the Internet sends you an email, then you are probably smart enough not to click any links in it.

But now, what happens when an email arrives and it has the correct logo and content from Microsoft?  You trust them.  They wrote the software that’s on your computer, possibly.  They’re telling you that you are about to lose something or in other cases, that you could get something for free.

But of course, that email could seemingly arrive from UPS, FedEx, the U.S. Postal Service, Wells Fargo, Bank of America, Chase, Logitech, Intel, Apple, Google, Intuit, Adobe, Samsung, HP, Facebook, Twitter, Verizon, AT&T, Starbucks, Staples, Yahoo, Bing, MSN, Firefox, Chrome, WordPress…  Literally any name brand or product name you trust can be used to fool you.

Urgency

If someone told you that you had thirty years left in your lifetime, you’d probably be interested but it wouldn’t necessarily change what you do today as a result.  You’d have time to get a second opinion from another doctor, say.

We’re programmed, though, to panic when we have a limited amount of time to make a decision.  If the doctor told you that you needed to get your affairs in order because you have 24 hours left, then you probably wouldn’t calmly make an appointment with that second doctor.  You’d very likely go on a shopping spree or make some other not-so-mature decision in the spur of the moment.  In other words, the rational/analytical part of your brain wouldn’t be in charge.  Your would-be scammer knows this.  So all these attempts have some sort of expiration date/time attached to them.

Free… Isn’t

I’m not sure why people are such suckers for the word “free”.  It seems to be another method of short-circuiting the brain.  Combine free with an expiration date of some kind plus a spoofed pedigree and most people will stupidly click that link.

Antivirus Isn’t “Anti-Stupid Protection”

Unfortunately, your antivirus program can’t protect you from doing something, well… stupid, in this case.  It would be stupid to enter your credentials for anything prompted by any email.

But, what if this is legitimate?  Okay, so what if I have received an email from Geico and they’re trying to tell me that my policy is about to expire?  (Let’s assume for a moment that I have Geico insurance.)  Do I actually need to click their link to find out the status of my policy?  No.  It is infinitely safer for me to open my browser, type in Geico.com in the location field, verify that I haven’t mis-typed the domain name and then to enter my credentials on their website.  In doing so, I’ve completely removed all the dangers of phishing.

Digital Extortion

According to statistics, 64% of Americans are willing to pay a ransom to get their data back (or say control of their computer) and the average bounty demanded is $1,077 per victim. Only 34% of people globally are willing to pay money in these circumstances. Unfortunately, that makes the U.S. a prime focus for these people.

Advertisements

the sophistication of phishers

Phishing is an activity where you try to con someone out of their private information (like credentials) and these people are too darn clever. I just got a perfect rendition of Apple’s classic email notification that my Apple ID had been used on a Windows 10 computer with Chrome over an IP address in Israel and that my account is now locked. It’s enough to make you panic and click the link they provided.

The Psychology of Fear

Of course, fear is a prime motivator. “ONOZ! I’ve been hacked!” No, actually. Someone just has your email, which you could have seen from the “Undisclosed Recipients” distribution list.

And yet, it was enough to make me go to a different computer, visit Apple’s website and confirm that my Apple ID wasn’t locked out and it’s only being used on my own devices.

Apple’s Lack of Customer Support

For a company that makes as much money each year as Microsoft, Oracle, Google and Adobe combined, you’d think that there would be room in the budget to support their customers.

showmethemoney

In fact, I just spent many moments trying to let Apple know of the sophistication of this phishing attempt, to identify the culprit(s), their website(s), email address(es), etc. No dice. Apple’s doing such a good job of blocking customer requests that I decided that the best way to get the information out there was to blog it. Pretty sad, really.