[just a very brief post about phishing – there’s a lot more to learn about the topic if you’d like to know more]
We deal with phishing questions quite often. Lots of people in the community receive phishing messages – simply because West Mifflin is such a big community. Even our staff receive phishing messages.
“Phishing” is a (mostly) technological term coined to describe the act of throwing a message out there to a mass of seemingly random people in the hopes that some unsuspecting “phish” (I suppose) takes the bait and gets hooked.
Yes, similarly to actually fishing.
Here’s what happens. You receive a message similar to the one pictured above that basically says “hey, you! There’s some form of trouble with your bank – it’s ok though, log in here to take care of it.”
It’s mostly a psychological thing designed to trigger and incite panic to make you knee-jerk, log in to resolve what you perceive as a critical issue when instead you’re actually not logging into an authentic site, but just putting your information into a form that passes it along to your “phisherman” (see what I did there?).
So, you inputted your username and password – the chances are that the form looks like it didn’t do anything – you got nothing and your bank login information has been passed through and recorded in a database.
Often, it’s not the “phisherman” what uses your account information directly to log into your account – that would be silly for various reasons – these lists of many usernames and passwords are sold on the dark web for others to use for their financial gain.
Why does it happen? Just like many malicious, nefarious crimes, it’s done for money and/or information – pretty simple really.
Who “phishes”? We wish we knew! Often, these messages/attacks aren’t domestically orchestrated. Users and groups in a variety of known foreign countries utilize unwitting sites and computers around the world to host and distribute these messages – which makes the “who” incredibly difficult to both define and ascertain.
How does this happen? The science behind phishing can be quite complicated but the basics are that unsavory programmers write code that infects unsecured websites, injecting code in there that creates pages that look like bank login pages and sends messages to random email addresses or phone numbers (or information gleaned from lists) with phishing messages.
Sometimes actual personal and business computers are infected with software that does the same thing, turning the computers into distribution zombies without the users knowing.
Conveniently, it’s all very hands-off when it gets going. This is why it’s always very, very important to monitor your computers and web sites, keeping them updated and all that good stuff. Be smart and use common sense.
Why text? That’s silly – banks never send messages worded like that via text. You’re smart! You’re right! They don’t. However, there are few filters for text messages. Most email systems filter phishing messages so that you don’t even see them.
This all sounds very complicated. What can I do? Nothing. You do nothing. Easy, right?
Well, you know to do nothing. You see the message in your inbox or on your phone, you say to yourself “Not today phisherman”, and you delete it – you do not click the link, you do not pass go, and you do not lose $200.
Even simply clicking the link can open your computer to malware and attack. Do Not Click The Link.
If you’re feeling super community oriented, you can report phishing to the US CERT , and look up the specific bank phishing reporting system.
Always check the address of the bank site that you do log into. Always check to see that the site you’re visiting and putting your information into is secure (“https”, or a lock in the address bar”). It’s even fun to read the message to spot the inevitable spelling, branding and grammatical errors (remember, “foreign entities”?).
Eek! I clicked the link and I put in my information! It happens. Try not to do it again.
Stop reading this and contact your bank IMMEDIATELY. Explain what happened. They should take measures to re-secure your account (often just as easy as changing the password).
You may need to reach out to your local police department if your case gets to the point of fraud and/or identity theft.
Always monitor your accounts and credit reports for suspicious activity.
But wait, that’s not all. There’s “Spear Phishing”, too!
Where phishing is just throwing a hook out there, hoping that someone bites – spear phishing is addressing the message specifically – sending it to a specific person at a specific address, for specific information.
Often, a CEO, administrator, or someone in authority will be targeted – hoping they turn over login credentials or substantive account information. We all know that our people in power are too smart to fall for that though, right?
How can I help? Surely there’s something I can do to get ahead of these scammers? Educate, educate, educate.
Feel free to share this post and send it to everyone you know. Make sure your friends and neighbors know what phishing is (especially the highly susceptible elderly). Make sure everyone knows where they should and should not be putting their information.
It’s important not to panic, not to knee-jerk but recognize scam attempts and act accordingly.
If you ever question the legitimacy of a text, phone call, email or letter from your financial institution – call them directly using the telephone number on your bank statement.
Questions? Contact your local police department or IT Security professional.