Sent to my teachers and staff, names and addresses changed:
Welcome to the second letter in my series of information security tips!
Phishing is an attempt to get your information, including financial information, by masquerading as someone else. It most often takes the form of an email purporting to be from a trusted source. Take, for example, this recent actual example from right here at Cliff Valley.
From: Head of School [mailto:firstname.lastname@example.org]
Sent: Wednesday, May 06, 2015 12:08 PM
Hope you are having a splendid day. I want you to quickly email me the details you will need to help me process an outgoing wire transfer to another bank.
I will appreciate a swift email response.
Head of School
Finance recognized this as suspicious right away. But look at all the things this phishing attempt got right. It’s a well-written email, apparently from Head of School’s actual email address, with a perfectly reasonable request. There are also number of red flags here, such as the slightly stilted language, the vagueness, and a few formatting issues. But place this email in an environment where people don’t know each other as well, and it seems pretty convincing! If Finance weren’t so sharp, the email response would go to the phisher (the actual return address is different from the one appearing in the email, a process known as spoofing), and money would quickly disappear from Cliff Valley’s bank account to an untraceable account. A phishing attempt that is targeted at specific people, like this one, is called “spear-phishing,” and can be very effective.
Phishing attempts happen all the time! Check your spam or junk mail folder, and it will likely be filled with mail apparently from your bank, FedEx, and social media sites. These may look exactly like actual email from these sites and may have links that lead to legitimate looking sites as well. There may not be any obvious warning signs that they’re phishing attempts.
Fortunately, there is an easy and foolproof way to protect yourself from these. NEVER follow a link from an email to a financial site. Just type the site’s name directly into the browser (do not cut and paste), and you can be sure to end up at the legitimate site. If you think you may have followed a suspicious link by mistake, you should log in to the legitimate site as soon as possible and change your password. Fortunately, most phishing attempts are easy to spot when you are looking for them. It’s important to be vigilant, however!