3 simple tips to stay off the hook this phishing season

We’re entering peak retail season.

Black Friday, Cyber Monday, Hanukkah, Kwanzaa, Christmas, Boxing Day, the New Year Sales – it’s the start of a long season of giving and receiving, buying and selling, visiting shops and going online to shop around.

You’re likely to be looking for things you don’t buy every day, from retailers you don’t deal with every day.

So, even if you’re shopping in-store, you can expect plenty of online action via SMS, web and email – invoices, receipts, confirmations, deliveries, acknowledgements…

…and that’s just for the things you’ve already bought.

On top of all that, you’ll get any number of special offers, solicited and unsolicited, expected and unexpected, genuine and scammy.

We know that the majority of Naked Security readers are strongly interested in IT and computer security, as well as partly or fully responsible for security at work or at home (or, more likely, both).

So, even if you could spot a phish at 100 paces, what about your friends, family and colleagues?

We thought it might help if we put together a brief “story in pictures” to help you do the explaining.

Here goes.

Down memory lane

Here’s a phish from a few years ago, when the crooks first realised that getting your email password was as good as getting your banking credentials – or perhaps even better, given that your email password is often the key to resetting the passwords on dozens of other accounts:

Although you’ll still see phishes like this, by today’s standards it is rather obviously suspicious – in slang terms, you might call it “amateur-time”.

Nothing about it quite adds up – it has an unprofessional look, uses colours that Outlook.com doesn’t, mentions a mail limit that’s completely different from real life, and is written in illiterate, mis-spelled English.

Unfortunately, you can’t rely on every crook being this slapdash, so you will often see phishes that are much more believable – technically and visually.

In other words: “it looks like garbage” is a good rule for getting rid of spams and scams, but “it looks OK” is not good enough on its own for accepting an email or a web page.

KISS

Some crooks have realised that the shorter, sweeter and simpler you keep an attack, the easier it is to pass muster, like this SMS scam campaign from Australia:

See what they did there?

SMSes are so short that it’s easy to produce a grammatically correct message, especially if all the message says is, “You have a message.”

Worse still, SMSes, like tweets, often contain shortened web links to save space, making it easier for the crooks to pass off a rotten domain as a safe-looking one.

Don’t be in a hurry to click, especially if the message claims to relate to a service you already use.

After all, if your bank sends you a message about a message, you don’t need a link because you already know how to get to the right page on your banking website by yourself.

Good looks

Sometimes, crooks go to a bit more effort than the Outlook.com example we showed above.

Here are some recent examples from our spamtraps where the crooks have “borrowed” the icons and visual flavour one of the world’s most popular computer brands, Apple:

Fortunately, even these crooks haven’t taken as much care as they could have, but if you’re in a hurry, or aren’t a native speaker of English, these messages look likely enough.

But let’s not rush into it – let’s try what Staysafeonline.org suggests: Stop. Think. Connect.

Try this logic for size:

• If these messages are true, you don’t need to click – you can just head over to Apple’s website manually, or open the AppStore app yourself.
• If the messages are not true, you don’t want to click, for obvious reasons.
• Therefore, true or false, your best action is not to click.

Easy, isn’t it? Don’t click!

Click to cancel

Some crooks take a more subtle approach than threatening you with a generic problem with your whole account.

Instead, the crooks pretend to have processed a specific transaction, often for a fairly modest amount (but not so small that you’re likely to ignore it)…

…and below the invoice, they helpfully provide a button to dispute or to cancel the transaction if you think it’s fraudulent.

It’s tempting to take a look “just in case”, especially if you have recently bought items via Apple and wonder if this might be one you forgot about, or if you’re worried that your kids have been spending your money in the AppStore behind your back.

Don’t do it!

Don’t click through “just in case”, even if the purchase is the same as or similar to one you did make.

Popular advice says to hover over the link you’re about to click, thus popping up a box that shows where you’re about to go, to help you check in advance whether you’re heading to a real site like apple.com or an imposter that’s nothing to do with Apple.

We have a simpler approach: ignore all the links entirely in any email like this is, for exactly the reasons we’ve discussed above.

If the transaction is real, you will find it by logging into your Apple account without any email help, so there’s no point in clicking.

If the transaction is fake, there’s no point in clicking.

If in doubt…

To leave you with some short and simple messages you can give to your friends and family this holiday season:

1. For personal information. If in doubt, don’t give it out.
2. For web links. If in doubt, don’t connect out.
3. For website forms. If in doubt, don’t fill it out.

TL;DR – IF IN DOUBT…DON’T.