With each UK citizen spending an average of £330 on Christmas presents each year and an estimated 19% of annual sales being typically generated during the six-week lead-up to the festivities – the biggest trading period in retail – it’s clear that Christmas is a highly lucrative time of year for retailers. It’s also a lucrative time of year for online fraudsters as many enticing discounts and special promotions are offered by email to lure customers in. All of these are perfect opportunities to gain access to passwords, accounts and credit card data through phishing scams. So, how to protect against phishing?
Or to put it another way, how can you recognise these ‘fishy’ emails? (groan -Ed).
Or indeed, what tips should IT give to staff to help them protect against phishing?
Know Fraud, No Fraud
What is phishing? The word ‘phishing’ was invented as a homophone of ‘fishing’ as it involves creating a bait to lure victims. Typically it involves an email; although sometimes a telephone call – called Vishing – or a text – called Smishing. (And wanting less jargon is called wishing-Ed) which purportedly comes from a trustworthy source such as a bank, payment processor or retailer or even a colleague or friend (who has unknowingly been hacked). These emails are often credible enough to deceive the recipient into clicking on a link which could then release malware – viruses, worms, Trojans or bots – onto the recipient’s computer or take the victim to a fake website. Which leads us to: how to protect against phishing.
Tip 1: How to protect against phishing. Never, ever follow suspect links
There is no 100% guaranteed way to detect phishing but, if there is the slightest suspicion that the email may be fraudulent, do not click on any links it contains. Always enter the sender’s website address (not the link in the email) directly into your browser.
Phishing attacks — can AI help people provide a fix?
Tip 2: How to protect against phishing. Check out the sender
Be warned if the part after the ‘at’ sign @ in an email address doesn’t match the purported sender; for example, if ‘PayPal’ sends you an email from email@example.com or the URL is misspelled as www.paypa1.com or something similar. This is a (fake) website owned by a cybersquatter. Some of the most well-known companies in the world have website impersonators including Facebook, Google, DropBox and PayPal.
Tip 3: How to protect against phishing. Don’t give in to emotional blackmail
Phishing mails almost always contain the same kind of content and requests. Sometimes, they ask you to update your user account or password. But sometimes they use psychology to get you to react: the notification of a big lottery win, an offer to take part in a once-in-a-lifetime business opportunity or, particularly popular at Christmas, an appeal for a donation to a charity.
When is a CFO not a CFO? How to avoid being a ‘spear phishing’ victim
We all know about phishing, and rarely struggle to identify it, but ‘spear phishing’ remains a looming threat for business IT security. Evtim Batchev, CTO at Halian, explains to Information Age how employees can avoid these scams by following these simple tips.
Tip 4: How to protect against phishing. Banks never want to know this
There are some things that your bank will never ever ask you. They don’t want your passwords or PINs to be sent by e-mail or text; they don’t want you to authorise the transfer of funds to a new account; and they don’t want you to meet a bank representative at your home to collect cash, bank cards or anything else.
Tip 5: How to protect against phishing. Beware of opening attachments
If attachments with unknown file extensions (or PDF files) suddenly appear as an e-mail attachment, it is a clear indication that something is wrong – especially if you haven’t had any previous dealings with the sender.
Tip 6: How to protect against phishing. Personal salutation
Most companies address their customers by name. But if the name is missing, misspelt or if there is no name at all and it just says something like ‘Hey’ or ‘Dear Customer’, it could be an indication that this is a fake email.
Tip 7: How to protect against phishing. Trust is good but control is better
By regularly checking your bank statements, you can mitigate any potentially serious consequences of a phishing attack. Any suspicious or unknown transactions should be reported directly to the bank or credit card company immediately.
Explosion of look-alike domains poses phishing risks to online shoppers
Tip 8: How to protect against phishing. Keep yourself up-to-date on current scams
Take the time to read up regularly on ways to protect your digital safety. If you hear that a service provider has been hacked, be sure to follow their instructions and change your password.
Tip 9: How to protect against phishing. Only use secure websites
When conducting online transactions, go directly to the website. If the special offer is genuine, it will be available on the website. Look for a sign that the site is secure, such as a white padlock icon on the browser’s status bar or a “https” URL (where the “s” stands for “secure”).
Tip 10: Protect your computer with a firewall, spam filters, anti-virus and anti-spyware software.
Do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure that you are blocking new viruses and spyware.
Tip 11: Click in haste, repent at leisure
Many phishing e-mails put pressure on you to act quickly or else, they threaten, something bad will happen or you will miss out on something very important. A ‘bank‘ might warn you that your account will be closed unless you act quickly; or a company might tell you that you have won a major cash prize, but only if you can claim it in the next 24 hours. Don’t act in haste. Take your time to satisfy yourself that the message is genuine.
Tip 12: Genuine messages don’t make threats
Although most phishing scams involve trying to trick or persuade people into handing over sensitive information, some fraudsters use fear and intimidation to scare their victims. For example, threatening to send embarrassing videos or photos to contacts unless a ransom is paid. Try not to react immediately to an email take a few minutes to calm down and think rationally. Why would this person be emailing you, specifically about this, all of a sudden?
The JDLR rule
Few people fall for the ‘Nigerian Prince offering untold riches‘ scam any more, but criminals are now able to put together professional-looking messages and web pages which can trick even the most discerning person into giving away personal information when they are tired, busy or stressed. Check your privacy settings on popular social networks to restrict how much personal information you are making public and above all, follow the JDLR rule. If it ‘Just Doesn’t Look Right‘, then it probably isn’t.
About Jan Oetjen, CEO of GMX
Jan Oetjen is responsible for the Mail and Portal business of the United Internet AG including the international brands GMX and mail.com. Before joining United Internet in 2008 he was Managing Director at the Travelocity Group heading the operations of the online travel service in Germany and France. Since 2018 he has also been Chairman of the Board of Trustees of the European netID Foundation, an independent body of the internet industry that provides and further develops the open netID login standard.