by Paul Arnote (parnote)
Linux users, as a group, are pretty savvy. It's difficult to slip something by them, or to fool them. But occasionally, it does happen.
Phishing is a year-round problem. As the winter holidays approach, you can expect to see an increase of phishing emails in your email account's inbox. The reasons should be fairly obvious, as those who wish to steal your information use ploys that are particularly effective during the holidays. It is a time of year when nearly everyone is seeking great deals as they purchase holiday gifts.
Wikipedia defines phishing as follows:
Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using fake bait in an attempt to catch a victim. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting victims. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. Many websites have now created secondary tools for applications, like maps for games, but they should be clearly marked as to who wrote them, and users should not use the same passwords anywhere on the internet.
So, what can alert us to the possibility that an email is likely a phishing scam?
Too good to be true. This is a frequent ploy. List an object for sale at prices that are too good to be true. This is a particularly effective tactic, especially during the holidays, since most people are trying to fit as many gifts as possible into diminishing budgets. Someone you don't know + big promises = most likely a scam. The old adage "if something seems too good to be true, it probably is" goes a long way.
Mismatched URLs. Unless you're paying close attention, this one is very easy to miss. The hyperlink may appear on the up and up within the body of the message, but the actual website it is sending you to is anything but up and up. In most modern email programs, as well as most web based emails, just hovering your mouse over the hyperlink will display a destination URL that is different from the one displayed in the body of the email.
Misleading domain names. This one catches a lot of people off guard. Knowing proper DNS naming structure for domains is a huge help with this one. For example, https://msdn.microsoft.com/en-us/ is a valid child domain of the microsoft.com web domain, because the modifier -- msdn -- appears to the left of the domain name. However, https://msdn.microsoft.com.yourinfosnowmine.com is not a valid domain of microsoft.com, directing the user to the yourinfosnowmine.com website. In this URL, https://msdn.microsoft.com appears to the left of the real domain. So, even though it incorporates Microsoft's domain name within the URL, the final destination will be a site that is designed to soak up and steal every bit of information you are willing to provide -- including name, address, phone number, user name, password, credit card information, date of birth, and anything else you're willing to hand over.
Often times, the fraudulent website will be designed to look like the legitimate website. Based off appearance alone, it may be virtually impossible to distinguish between the legitimate website and the fraudulent one. However, paying close attention to the domain name/URL should help you make the distinction.
Poor spelling and grammar. Let's face it. Those who send out the malicious phishing emails may be clever in their methods, but it seems that they are all spelling and grammar class dropouts. Quite frequently, the emails and/or the fraudulent websites will be overflowing with spelling and grammatical errors. This is something that NO self-respecting marketing department would ever allow. And trust me, the marketing department for a major business has a hand in the things that appear on the website, as well as information that is sent out via email mass mailings.
Send money to cover expenses. Although happening rarely in the first email encounter (some credibility-challenged individuals do cut to the chase right up front, however), if they get around to asking for some money up front to help cover expenses -- shipping, taxes, fees, grandma's bootlaces, etc. -- you can pretty much kiss your money goodbye if you comply. These are nearly always scams.
Asking for personal information. The scammer did his homework and plied his skills well. The email looks "official" and seems credible. That is, until they ask for your personal information. Your bank shouldn't be asking you for information on your accounts -- they already have and know that information. Other reputable companies won't be emailing you to gain access to your credit card number, passwords or answers to security questions.
You didn't initiate the exchange. I can't even count the number of times I've received an email (usually caught by my spam filter) informing me that I've won the EU Lottery. Not only did I NOT ever buy a ticket for the EU Lottery, I don't even know if the EU has a lottery. I've also not ever had enough of an interest to seek an answer via an internet search. Since I've never purchased such a lottery ticket, there's absolutely no way I could have won. That is how lotteries work, at least around my neck of the woods, and I suspect everywhere else, too.
And yes, I do play the lottery from time to time, but I usually restrict myself to the smaller lotto-type number games that are restricted to the state where I live. Although still astronomical, my odds are WAY better than with the popular multi-state lotteries -- where my odds are infinitesimally small. Plus, at no time when I've ever purchased a lottery ticket was I ever asked to provide my email address. Thus, they would have no way to know how to contact me in the rather unlikely chance that my tickets were the winning tickets. In fact, there is no way to match me up with the "winning numbers" unless and until I turn in the winning ticket -- and by then, I already know I'm a "winner."
The above is an obvious attempt to corral me into giving up vital, private information. Similarly, if you get an email from someone telling you that you won some contest you did not enter, rest assured that it is most assuredly a scam. This also goes for phony contests on social media sites.
Makes unrealistic threats. While trickery is a common ploy, some nefarious individuals rely on intimidation to get you to provide your sensitive and private information. Along with the lottery "you're a winner" emails, I've gotten numerous emails (caught by spam filters) that unless I provide the requested information (usually includes your account number) and copies of two picture IDs, my bank accounts will be frozen and their assets seized. Except, I've never had bank accounts at those particular banks. Even if I did, it's unlikely that the bank will communicate such matters outside of the more secure internal email system on their site. It's also most likely against the law for any bank to freeze/seize your accounts, just because you didn't respond to an email.
In the past, I've also received numerous emails telling me my Facebook account has been compromised. Traveling to the website (curiosity be damned), there were form fields asking for all kinds of my sensitive and private information. These were things that Facebook really had no need to know, anyways, even if it were legit. But there's one small problem ... I've NEVER had (and probably never will have) a Facebook account.
Pose as a government agency. There is little else in life that's as intimidating as dealing with a government agency. They write the rules, and they usually hold all the cards. Some scammers try to tap into that intimidation factor by posing as a government agency. Although government agencies can and do use email, the initial contact with an individual is rarely, if ever, via an email.
It just doesn't look or feel right. If you receive an email and get the gut feeling that something about it just isn't right or just doesn't feel right, TRUST YOUR INSTINCTS! There is something that is setting off those alarm bells. It probably isn't on the "up and up." Responding to it and providing the information they are seeking is just going to (most likely) be expensive for you and provide you years of pain and heartache.
Fake charities. Since the holidays are the season for giving, many consumers try to give back by donating to their favorite charity or charities. Scammers are attuned to this sense of philanthropy and good will, and will try hard to separate you from (minimally) some of your hard earned money, and at worse, your sensitive and private information. Be extra vigilant if you are in the position to be able to give to a charity. Fake charities and fake charity websites abound, especially during the holiday season.
Your package has shipped ... One way scammers target their victims is sending out fake shipping notifications. They send out a shipping notification and the unsuspecting recipient clicks on the link. During the visit to the malicious website, you may pick up some spyware, viruses or other malware (if you're using Windows ... Linux users are safe from these major annoyances), or they may ask for "confirmation" of your sensitive and private information. Be mindful about from whom you've bought items during your online shopping trips, and don't click on any links from a company you did not make a purchase from. Also, follow the other "rules" listed here.
I'm sure there are other ways that scammers will attempt to gain access to your information, if not your hard earned cash. I've attempted to cover the most common methods here.
Apply the knowledge shared here to make your holidays a lot brighter, and to help prevent them from becoming a real bummer. Coupled with the other security-minded articles we've run in The PCLinuxOS Magazine, you can get through the holidays with your wallet and identity fully intact.