Happy Tidy Tuesday!
We've reached the end of July, which brings us to the fifth and last week of Security Month. I hope you've enjoyed the high-level, whirlwind discussion of password managers, two-factor authentication, backups, and VPNs.
In this final week, we're discussing phishing (primarily via email) and some simple ways to determine whether something is likely to be a scam. I've seen this question come up numerous times recently, and it's worth reviewing even if you already feel confident in your ability to spot a con job before you suffer any consequences.
Security Week 5: Phishing (and the sniff test)
Wikipedia defines phishing as "a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware."
In other words, it's the act of fooling you into handing over information and/or doing things that you shouldn't.
(It's spelled with that funny "ph" instead of an "f" because it's loosely related to the much older "phreaking," a slang term originating in the 1960s from people who figured out how to reverse-engineer analog phone networks using particular audio frequencies.)
Now, some phishing techniques are incredibly involved, well-researched, and complex; these are almost always narrowly targeted at high-profile victims who provide the opportunity for a large payout if successful. Early in 2024, a finance employee at a large overseas firm was tricked into making a fraudulent $25 million transfer after attending a live video call with multiple high-level employees he recognized—all of whom turned out to be deepfake avatars.
Fortunately, you and I aren't likely to encounter those anytime soon...although as AI technology advances, such shenanigans will be less costly and, therefore, more accessible for the common con artist. It's a good idea to start building the right automatic defenses before you start getting video calls from your "boss" asking you to please update your direct deposit details on the new HR portal website. 😬
This anecdote brings me to the SINGLE MOST IMPORTANT anti-phishing rule.
RULE #1: Always verify information with the source using INDEPENDENT and OUTGOING communication methods.
The first part should be obvious, but the second one might not.
- By "independent," I mean you should always look up or otherwise verify a phone number, email address, or website address yourself instead of referring to the content of a suspicious email, or calling the number fed to you by the person on the other end of an unexpected phone call.
- By "outgoing," I mean you should always initiate calls, texts, emails, or web navigation. Never rely on seemingly authentic origination details (such as caller ID or the "from" address on an email), because they can be easily spoofed.
For example, if you get an email reporting an Amazon purchase that you don't recognize, don't click any links in the email. Instead, open a new browser tab and enter "amazon.com" yourself, or however you normally get to Amazon, and look at your order history. No unexpected order? No problem! Just close the tab and delete the phishing email.
A reasonably wary couple got scammed early in 2024 for $50k (video segment here) because they didn't follow the second part of the rule. The victim even called her daughter separately to verify the incoming suspicious call was from the correct number, which it was—because the caller ID was spoofed. If she had called that same number from her phone, it would have gone to the actual bank. The scammers faked the number for precisely that reason, then managed to keep her on the phone until they finished the scam.
This brings us to the second rule:
RULE #2: Never let FEAR or URGENCY drive your reaction to an unexpected email or call.
Scammers always try to catch you off-guard with something that makes you panic. In an email, this is often a fake invoice for a vaguely believable purchase amounting to a few hundred dollars or more. In a phone call, it's often something like a fraud alert, IRS back taxes coming due, or unpaid loans. People hit with unexpected and alarming news are much more likely to make rash, illogical decisions while processing that news.
DON'T BE ONE OF THOSE PEOPLE.
There are practically zero real-life situations, financially speaking, where an extra 15 minutes spent verifying everything will make things worse.
- If a credit card company genuinely calls you with a fraud alert, they're already paying enough attention to catch another fraudulent transaction.
- If you really owe back taxes to the IRS, you won't get a phone call about it just minutes before the payment deadline. (And you certainly won't be able to pay it off at a discounted rate using Target gift cards.)
- If your spouse actually bought that Norton Antivirus subscription, you can cancel it just as easily a little later in the day.
This is particularly useful for phone-based scams, where you can flush out the scammer simply by telling them you need to check with your spouse (even if you don't have one!), and you'll call them back. Usually, ending the call derails their entire process, so they'll start pushing the need to act immediately to avoid dire consequences. This is a huge red flag and a sign that you should hang up.
Another hint: if there's no obvious way to verify with the purported merchant whether a transaction occurred (where exactly do you buy Norton Antivirus subscriptions these days?), check your online banking portal for pending transactions. Charges always take a day or two to clear and show up on a statement, but they typically appear in a "pending" status just a moment after the transaction occurs, whether online or offline. If no unexpected charge is pending or cleared on any of your accounts, you're free to ignore the phishing attempt.
While the above two rules form the basis for good anti-phishing habits, there's one more that's especially good for email scams.
RULE #3: Watch out for anything that doesn't pass the sniff test.
Most of us engage in various kinds of e-commerce all the time. Online purchases, online banking, and even online food orders. We've received hundreds, if not thousands, of confirmation emails, receipts, shipping notices, and so on. We have an innate "feel" for what most of these look like--the information they contain and don't contain, how they link back to the original merchant or order details, and what the process looks like if we want to cancel, return, or otherwise undo one of these transactions.
We might not think about it much, but legitimate online merchants intentionally follow these patterns in part because they want you to trust them, to feel "at home" with the transaction process, and to be comfortable using them again in the future.
With that in mind, if you receive a brief message that has an exceptionally terse message about a product you (supposedly) bought, with no link back to the merchant, product, or verifiable order details, but instead a big, bold, red toll-free number you should call if you want to cancel the transaction, you should immediately be on alert. This is not how legitimate merchants work.
There are a few common indicators of this type of scam email, and with a bit of practice, you can quickly learn to detect them. This "sniff test" is a way for you to quickly look at an email and form a reasonably sure opinion about its authenticity. If it smells wrong, it probably is.
Here are the red flags I watch for:
- 🚩 A "from" address that doesn't match the supposed merchant. Often, this will be a random Gmail, Yahoo, Hotmail, or Outlook address.
- 🚩 Spelling, punctuation, and other grammatical errors in the subject or message body. Authentic merchants can make mistakes here, too, but errors everywhere are a good sign that it's a scam.
- 🚩 A prominent invitation to call a phone number to cancel or obtain a refund. Reputable merchants provide a mechanism for refunds and cancellations, but for obvious psychological reasons, these mechanisms are rarely made prominent right in the order confirmation email.
- 🚩 A very short message with a PDF attachment. While some order confirmations include PDFs, those attachments usually supplement other details in the message. But if the message is mostly blank, that likely means a scammer packed the PDF with content that they hoped wouldn't get filtered by automatic spam detection software.
- 🚩 Liberal use of different fonts, colors, and styles (especially red). Well-crafted messages from authentic merchants typically follow more "tame" style guidelines to maintain a professional look. When a message is visually all over the map, it's a sign that someone is trying too hard to direct your attention somewhere.
When taken individually, these elements aren't sure signs of a phishing attempt. But be alert when you notice more than one of them simultaneously.
Here's a quick review of the three most important anti-phishing rules:
- Always verify information with the source using INDEPENDENT and OUTGOING communication methods.
- Never let FEAR or URGENCY drive your reaction to an unexpected email or call.
- Watch out for anything that doesn't pass the sniff test.
If you have any of your own anti-phishing tricks, I'd love to hear them.
Have a good week, and happy data-taming!
If you're not already subscribed, make sure to join the weekly newsletter email list with the simple form below. You can also bookmark the Tidy '24 Calendar page for a master list of every currently published Tidy '24 topic.