John Morgan, Administrative and User Services Coordinator at Pitzer Information Technology
…and now you’re doing exactly what they wanted you to. See how easy that was? That pang of fear; the “Oh no here we go, I forgot to update my password again” feeling. Did you feel it? This is what people wishing to exploit your online accounts want when they send malicious e-mails asking for sensitive information. They could ask for your username, password, or pet’s name (Super serious. Remember all those security questions that websites make you answer?) and other sensitive information relating to your identity. Called “Phishing”*, this practice is carried out through a network of official-looking e-mails and websites that act as bait to lure and catch you, the fish.
The first step is to send what appears to be a very official looking e-mail, usually implying urgency or threatening to cost you time or money if you don’t respond (see: title of article). These e-mails will sometimes ask for an e-mail reply to a specific address provided within, but often simply have links to external websites that they ask you to click on.
These websites on the other end of these links are designed to look exactly like legitimate websites, but are connected to the hacker’s network of servers instead. As you fill out the form with your sensitive information it is all being copied to their databases, where they can do a multitude of nefarious shenanigans with it… and not like cheeky monkey ‘oh, you rascals’ shenanigans, but more like the ‘take all your money’ kind of shenanigans: Identity theft, unauthorized purchasing, or simply draining your accounts of funds.
“Great, I.T. geek, so I’m terrified. What do I do now?” Well, you have two things going for you. First, these scammers are typically lazy and make easy mistakes. Mistakes that if you use a little common sense with, can identify and help raise the red flag on your radar. (You should know I sometimes mix metaphors) Second, your friendly neighborhood Pitzer I.T. Department is here to provide you with a few quick tips that can help you avoid falling victim to these scams:
- The sender’s e-mail does not match the business they are representing. The label may say something official like “Pitzer Registrar”, but the actual email address (the part between the < >) displays as email@example.com. Obviously, someone here at the Pitzer Registrar (or Paypal or Bank of America, etc.) is probably not going to have an e-mail address in Liechtenstein. Nothing against Liechtenstein, it’s a great place. I even drove across the country once for about 20 minutes (You should also know that sometimes I make geography jokes).
- The hyperlink does not match the business or does not match what the link is displaying. In most interfaces, you can hover (NOT click. Never click.) your mouse over a hyperlink to view where it’s going to take you. If the URL has strange characters or a lot of elements you don’t recognize, it probably isn’t legitimate. For safety, if an e-mail is exclaiming that you need your password changed or any personal information updated, DON’T use the hyperlink in the e-mail itself. “But I.T. Geek, links are so blue and shiny and helpful.” Yes, I know, and they are meant to be helpful and convenient, but (in one of those “this is why we can’t have nice things” ways) it’s far safer to open a browser and go to the website directly. For example, if Paypal sends you an e-mail saying you need to click the link and reset your password, close the e-mail and open a browser and go to Paypal.com directly.
- Another big clue to a phishing scam is incorrect spelling or grammar. Corporate e-mails usually have several native language speakers to proofread e-mails before they go out, if only to avoid a typo. There are entire departments dedicated to delicately crafting these artesian e-mails by hand, personalizing each and every one. Actually the e-mails are usually automatically generated by a computer program. But still! This is a good thing, because the template was created by those communication departments and the program only has to fill in your personal information when sending the e-mail to you. This means that when you see spelling errors, spacing issues, or strings of unintelligible symbols (ever accidentally change the font on a document to wingdings?) it usually is a good indication that it is a scam.
It’s not even that the hackers are terrible spellers or never went to school to learn the finer points of kerning (the monsters). It’s usually done to bypass spam filters. Spam filters will remember specific word combinations (a.k.a. sentences) in known scam e-mails and do their best to filter them out when they detect that particular combination of words (sentences). So, the hackers will purposefully misspell or change the syntax of the e-mail to fool the filters into thinking that they aren’t like those other faking fakers and are the legitimate long lost cousin who’s stuck out of country and needs you to wire money to a place you’ve never heard of.
- The e-mail urges you to take immediate action. Ok, calm down. You typically won’t see legitimate urgent e-mails warning or threatening you to take action right away. It’s exceedingly rare that this ‘final notice’ type e-mail magically made it through the labyrinth (RIP Bowie) that is your e-mail system when the first 23 notices companies normally send didn’t. Exclamation points are a big give-away as well. Most corporations only use exclamation marks when they’re trying to sell you something, not when they’re trying to get money you owe them.
If all else fails and you are still in doubt, forward the e-mail to our Help Desk and we will be happy to look into it for you.
Pitzer Help Desk: firstname.lastname@example.org or x73065.
Stay safe and happy Interneting!
*”PH” often replaces “F” in hacker lingo. It’s thought to be homage to Phreaking, which was popular in the pre-internet days when phone systems were hacked or “freaked” (seeing a linguistic pattern here?) Phone company accounts were then traded as currency in the hacker community.