I woke up one morning and checked my phone, like I do every morning, to see what was happening in the world while I was sleeping. I noticed that I had a few alerts from my bank. Cool. What couldn’t wait until morning, bank? Well, it turns out that someone that wasn’t me had overdrawn my account at an American Eagle Outfitters somewhere in Iowa.
“We would like you to authorize these charges. Did you spend $300 at American Eagle in Iowa?”
No, I most certainly did not.
I couldn’t believe it. Not because of where they were spending the money or even the amount of it, but the fact that I had spent the previous 3 years reviewing false positive requests for PhishTank, which is a collaborative clearing house, owned and operated by OpenDNS, for data and information about phishing on the internet. I felt like I had full knowledge of all the maneuvers and deceptions that phishers try to fool you with, but apparently I was wrong. They had caught me with my guard down, and got me so good that I couldn’t even recall when or where it happened.
Next stop, Bummerstown.
Phishes, if you are unaware, are fake websites that are designed to look real for the purpose of stealing your personal information. One of the most common examples would be an email that was presumably from a bank, demanding that you log into the site for one reason or another (either to update your security settings, to review recent charges on your account, etc.) A link will generally be provided for “convenience” which often redirects you to a site that looks just like the log-in page of a legitimate company.
If I had just followed my own advice, I would have saved myself several days’ worth of time and hassling with my finances. Hopefully you learn from my mistakes and follow these few simple guidelines when handling your own personal, sensitive information on the Internet:
Always check the url/sender of the email
If a website is asking for a password or any type of personal information about yourself, you should double-check the url or sender of the email to make sure it’s actually who you think it is. Look closely for typos which, believe it or not, are a very strong indicator that you’re dealing with a phish. You also want to make sure that url doesn’t have any sneaky subdomains that are designed to look like the website you’re attempting to visit. For instance, you want it to be google.com, and not something like google.imxds.co.il.
Think twice when presented with scare tactics
A common way that phishers try to catch you slippin’ is to make you assume that you’re on the clock. If you’re just trying to give a bank info ASAP so that they don’t lock your account, you’re probably less likely to check to see if it’s legitimate or not. Don’t fall for this trap. It’s good practice to take a step back and analyze the situation, especially before revealing any sensitive information about yourself.
Change your passwords regularly
This sort of goes without saying. You should also make sure that you choose a strong, complex password to provide yourself with better protection from things like “Brute-Force” attacks, and all things similar. Make sure it’s not something that can be found in the dictionary, contains special characters and numbers (if this is an option), contains upper and lowercase letters, is a minimum length of 10 characters and cannot be guessed easily based on user information (birthdate, postal code, phone number, etc.) Using a password manager is probably also a good idea, as is enabling “2-step authentication” wherever available.
Utilize Free Internet Tools
There are many great tools on the internet that give you the ability to check the suspiciousness of a site. PhishTank.com is a great example of one. If the link seems “phishy,” head on over to PhishTank and run it through the search engine, at which point you’ll be presented with valuable information about the site that you searched for, including whether or not the community believes the site to be legitimate or not.
These tips seem small, but weaving them into your daily life might save you a good amount of time in the future. You should probably also upgrade your network/internet security if you haven’t already. OpenDNS is a pretty great solution. You can also take the OpenDNS Phishing Quiz and see how good you are at determining the difference between an actual phish and a legitimate company site.