In the news there was, yet another, large data breach. This time it was Carphone Warehouse and personal details of 2.4 million of its customers could have been accessed, including some encrypted credit card details. Unfortunately as if the breach wasn’t enough the most common knock on effect is phishing.
Phishing is where you get an email, which is targeted at you, and you open an attachment or click on a link and become infected with malware, which then can go on and steal personal information. The cyber-criminals love to hear about large scale breaches, because even if they were not involved in the original breach, they can make money from an associated secondary scam – phishing.
|“But I won’t fall for a phishing scam…”, well, here’s the top three reasons that you will:|
|1||Trust||If you get an email and it looks like it has come from a reputable source, then you are more likely to open it. If it has context which makes sense, you are more likely to open it. If it has personal information, especially things like loyalty card numbers (even if it isn’t yours… do you check them), then you will open it. Phishing attacks based on the back of a media story provide the backdrop for scammers to create email which looks trustworthy… but one click on the wrong link, and you are infected.|
|2||You are thinking about something else||Not many people are sitting reading their email and thinking about security. We all get email from shops we have used, special offers, loyalty newsletters, in fact sometimes it is tough to find the email you are actually looking for. All too often, people click through email mindlessly, just in case there is a bargain which is useful… but one click on the wrong link, and you are infected.|
|3||Your basic computer hygiene is poor||What does this mean? Well, in effect that your anti-virus subscription has lapsed, or you haven’t installed the patches for the Operating System or applications. (You know those *annoying* popups which say you need to download a new version of X and you think, “I’ll do that later…”) A poorly patched system is the easiest way for cyber-attackers to get access – and it doesn’t take much to prevent it. Large scale phishing emails and their malicious content is usually picked up by anti-virus solutions and tends to use well known vulnerabilities which can be blocked by using the latest version of the OS/application. Without these… one click on the wrong link, and you are infected.|
So, what can you do?
Anti-virus vendors have said for the past 20 years not to click on email from people you don’t trust, or trust automatic downloads from the Internet (which you weren’t expecting)… but people still do. This really is a case of being vigilant, think about the scammers and the cyber-attackers when you are reading your email… for those where you wonder, why did they send me that – just delete them. Patch your systems… all the time. But remember to use the proper sites – as fake pop-ups from cyber-criminals when you visit a dodgy site and it asks to install a plug-in are another way your machine can become infected with malware.
Of course, it’s not just about paying attention to email and links when at home, this needs to happen at work as well. Receiving an email (or an instant message) purportedly from a colleague with an *interesting* link in it, proves the attacker with a level of instant trust – which you may fall foul of.
In the second part of this post, I’ll put forward some other thoughts on how to better protect yourself.
By Dr. Guy Bunker @guybunker