Gone Spear Phishing

Yesterday we discussed Phishing, the most common form of social engineering that targets a large number of people in the hopes that someone, anyone gullible enough will take the bait.

Today we move onto Spear Phishing, which are focused attacks and seem to come from people you know. Much as a fisherman uses a spear to target a single fish, spear phishing targets individuals. Where cyber criminals might send a single, mass email to a couple hundred thousand people in a phishing attack, spear phishing attacks are customized and sent to a single person at a time.

How does spear phishing work?

First, criminals need some amount of inside information on their targets to convince them the e-mails are legitimate. Often criminals obtain this “inside” information by hacking into an organization’s computer network or sometimes by combing through other websites, blogs, and social networking sites.

Once the criminals have your name and whatever other personal information they could retrieve they send emails that look like the real thing to targeted victims, offering urgent and legitimate-sounding explanations as to why they need your personal data. Just as in a phishing scam, the victims are asked to click on a link inside the email that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc.

Unlike phishing scams where the email is addressed to “Dear Valued Customer,” the spear phishing email usually contains personal information such as a name or some tidbit about employment. They are unique emails, rather than being the mass “your bank account has been compromised,” type emails that are more common in phishing.

Spear phishing is a greater threat because the email message is addressed to a name and not a generic addressee. In addition, the email may contain other legitimate information about the receiver. The email message might look like it comes from your employer, or from a colleague who might send an email message to everyone in the organization, such as the head of human resources. It might include requests for user names or passwords or might contain malicious software, like a trojan or a virus, but by all accounts, the message appears genuine.

How can you identify Spear Phishing emails?

Spear phishing is a more sophisticated type of social engineering than phishing, but the techniques used to avoid being scammed are the same with the exception of now the cyber criminal sends the message addressed to you with your name.

Just because the email is addressed to your name does not mean the email is legitimate, be suspicious. As long as the email is requesting you to click a link or provide personal information then be wary.

If you do not see "https" in the link, do not proceed. Roll your mouse over the link and see if the pop-up matches what appears in the email. If there is a discrepancy, DO NOT click on the link.

If you receive an email requesting your personal information, it is probably a phishing attempt. The whole point of sending phishing email is to trick you into providing your personal information.

If there is a sense of urgency, be suspicious.

If you see misspellings or bad grammar, do not proceed.


What to do if you responded to a phishing scam?

If you suspect you have responded to a phishing scam with personal or financial information, take the following steps to minimize any damage.

Report the incident

Contact your credit card company or bank if you have given your credit information. The sooner an organization knows your account has been compromised, the easier it will be for them to help protect you.

Contact the organization that you believe the forged information came from directly, not through the email message you received.

In the United States, report the circumstances to the Federal Trade Commission: National Resource for Identity Theft. http://www.ftc.gov/bcp/edu/microsites/idtheft/

You can also report the phishing scam to the Anti-Phishing Working Group and to the FTC at spam@uce.gov. Visit their website at http://www.ftc.gov/bcp/edu/microsites/spam/index.html for further information.

Change all your passwords

Change all your passwords and start with passwords related to financial institutions or information.

Change all your passwords and make sure they are STRONG passwords. What is a strong password?

An ideal password is long and has letters, punctuation, symbols, and numbers.
Whenever possible, use at least 14 characters or more.

The greater the variety of characters in your password, the better.

Use the entire keyboard, not just the letters and characters you use or see most often.

Don’t be caught off guard

Visit the Internet Crime Complaint Center (IC3) http://www.ic3.gov/crimeschemes.aspx and LooksTooGoodToBeTrue http://www.lookstoogoodtobetrue.com/ websites for tips and information.



**I hope the research for my latest novel has made you a little more security conscious.**

Gone Phishing

No, I'm not talking about the kind of fishing where you use a rod, reel, and bait.

The kind of phishing I am referring to is the most common form of social engineering. Before I delve too deep, let me take a step back and define phishing. Phishing is the process of falsely posing as a legitimate enterprise through an email or website in an attempt to acquire sensitive information such as usernames, passwords and credit card details. In short, it’s a scam.

Hmm. Maybe phishing does involve rod, reel, and bait. Rod would be the email or website you receive or visit. Bait would be the load of crap the supposed legitimate email or website is spewing. And the Reel is the link you click on that takes you to the place where you put in the information they just scammed from you.

Let's get into a little more detail. One example of phishing is a fraudulent email or website.

Phishing scams employ fraudulent e-mail messages or Web sites that try to trick you into revealing personal information.

Who has not received an e-mail message appearing to come from your bank or other financial institution that asks you to update your account information?

The e-mail message includes a link that appears to go to a legitimate site, but really takes you to a spoofed or fake Web site.

Does this email message look familiar? Or have you seen a similar email message in your inbox?

Dear First Bank User,

As a courtesy to our valued customers, First Bank conducts regular account verification processes.

In order to ensure your account information is not made vulnerable please visit http://www.firstbank.com.aaccount-update-info.com.

Please click on the above link to our website to confirm or update your account information. If you do not do this within 48 hours, you will not be able to use your First Bank account for 30 days.

Sincerely,

First Bank

**If you enter your login, password, or other sensitive information, a criminal could and would use it to steal your identity.**

How can you identify Phishing emails?

If you don't see your name, be suspicious. Notice the generic greeting. Internet criminals tend to send phishing emails in large batches and to save typing time the criminals use generic names like "First Bank Customer".

If you don't see "https", do not proceed. Notice the forged link. Even if a link has a name you recognize somewhere in it, it does not mean it links to the legitimate company. Roll your mouse over the link and see if the pop-up matches what appears in the email. If there is a discrepancy, DO NOT click on the link. Notice how the link starts with “http”. Secure websites where it is safe to enter personal information begin with "https" — the "s" stands for secure.

If you receive an email requesting your personal information, it is probably a phishing attempt. The whole point of sending phishing email is to trick you into providing your personal information.

If there is a sense of urgency, be suspicious. Notice the time sensitivity. The faster the criminal gets your information, the faster the criminal can move on to another victim. Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast.

If you see misspellings or bad grammar, do not proceed. Phishing e-mail messages often include misspellings, poor use of grammar, threats, and exaggerations.


Tune in tomorrow when I discuss Spear Phishing.

In the meantime, DO NOT reveal any personal information in e-mail or online unless you know who you are dealing with and why. Additionally, make sure you are in a secure environment.

I just have to whine

First, let me tell you that I am not normally a big whiner. What I mean to say is that I don't whine very often. But when I do whine, og yeah, I whine big time.

So why am I whining today?

Because of my new job and the horrible, disgusting, and very painful drive to and from south Boston. Last night it took me 1 hour and 45 minutes to get home in bumper-to-bumper traffic.

I left my house at 7 AM and arrived at work at 8 AM. As soon as I walked in I found out that I had an 8 AM meeting, for which I was now late. The rest of the day was spent in various meetings, including one that ran until 5 PM. (I was supposed to leave at 4.) When I left an hour late, I sat in that brake light - to - brake light traffic. I wanted to pull my hair out!! Not to mention the crazy drivers that don't know how to use signals and just cut you off, but hey, we expect that.

By the time I arrived home, oo you think I wanted to do anything?

Heck, no!

I gave my kitties who missed me desperately some treats and played with them for a few. I feel so neglectful being gone 12 hours a day. Then I ate some cereal because yes, I was too gosh darn tired to go back out or cook anything.

After that, I tried getting my new laptop up on the internet but, of course, it was not cooperative. Dang 64-bit operating system! So, I never got that accomplished.

Writing?! What writing? HA! How do other writers do it? Seriously. After working or commuting and working 10 to 12 hours a day where do writers find time to actually work on their manuscript?

Now wonder my first two books took years to complete.

Whew! Okay, I'm glad I got that out there. Thanks!

Gosh darn computers

Okay, is it just me or did some windows update hose my computers. Everytime I reboot them and sometimes it doesn't wait for that, I have to reset stuff that should never change. This just started happening in the last couple of days and it's driving me nuts!

Yes, I'm ranting. No, I will not switch to Linux or some other such thing. I'm a Microsoft baby and always will be, but gosh darn it, I just want my stuff to work correctly.

I'm also probably more freaked out because I still haven't made a decision about the job thing. UGH! Which also means I haven't been writing squat. And tomorrow morning I have to have some writing done to take to my critique partner and I have to have a decision mad about the job in south boston.

Can't life, just every once and a while, be a tad simpler? You know, kinda like a in a good book. Something happens but in the end everything ends happily ever after?? :-) I don't think that is too much to ask. Do you?

One of those...2 days

SO...you ever just have those days where nothing can go smoothly??


I HATE THOSE!


Mine started when I was trying to get my backup server to give me some old files. It did not want to cooperate. And of course this is at 6 in the morning and lasts until at least 9. Then I was finally able to get to some backed up files but copying them to where I wanted so i could use them took forever.


My poor cats went scurrying away everytine I yelled at my computer. :-)


Then I had to install some software. Yeah, okay, this should be a walk in the park. Not so. Because of all the security I have on my computers and network it can be a major pain.


Oh, there were other issues beyond just those but those were the biggest. Do you think I got any writing done? NOT.


Then the next day I my friend Nora emails me about meeting a friend of ours for lunch. Holy cow! I completely forgot. No problem. I decide to sit down and do some writing before I have to go.


I'm all ready to write but I need to get some information on the internet. I'm waiting, and waiting, and waiting...NOTHING. Continuously! I couldn't get my email anymore. UGH!


I, being the smart girl that I am, called the cable/internet company. We went through the issue and it was identified that my cable modem had died. The thing is less than 2 years old!! So I schedule an appointment for them to replace it because it is their modem, but guess when that will be...MONDAY. Flippin' 5 days away.


Again, I being the smart chic that I am, go out and buy a cable modem because I can install it myself. And after lunch with my friends that is exactly what I do. But of course that cannot go smoothly. For those of you who don't know...it has to be done in a very specific order. Sheesh!


On top of that, when I finally do get it set up I still have to call the cable company so they can register the machine in their system so I can use it to access the internet. Do you think that was easy?? Heck, no! It took 5 phone transfers to get to the right person. Unbelievable!!


Anyway, I finally get a guy who was very helpful and does whatever needs to be done on their end and I'm set. Right?


NOT! I still had no internet access. But, I'm no dummy, so I keep the guy on the phone with me until I know it works. I mention something about the router and he says "Router?" In the back of my mind I'm think "DUH!!!!"


So I have to unplug the router and count to ten (love that) and then plug it back in. Woohoo!!!


At 5 PM, I finally had access to the internet. At that point, I was fried, brain-fried.


So...do you think I have written a word in 2 days?? Nope. Nada.


BUT - after all that, I think I should write a book titled, WHEN IT RAINS IT POURS :-)