All posts by Ben Finke

Teach a person to phish, and they will never click on a link in an email again.


Let me start by saying that I realize that a lot of important messages with links arrive in your inbox everyday.  I get it.  It’s painful to not use the links.  And so many legitimate emails come through this way!  The problem is lots of phony ones do too.

For the most part, computers are pretty well set up to prevent direct attacks.  You have to do something to help along this process.  One of the most useful ways of attacking your computer is to take advantage of vulnerabilities in your web browser (see our previous post on a recent IE vulnerability).

In order to obtain anything of value from you (money, passwords, control of your computer, etc.) the attacker needs to get you to visit a webpage that runs code specifically designed for their purpose.  So the attacker needs to make a choice: hijack an existing webpage that you are likely to go to, or use some tactic to prompt you to visit a new website.  Phishing is one of those tactics.

No, a different kind of fishing...
No, a different kind of fishing…

One of those words that nobody would recognize 15 years ago, phishing is the act of using Internet communications like email, instant messaging, and social media messaging to entice a user to click on a link to an attacker site.  Email is a very popular vector because it is cheap, it is (nearly) universal, and it is effective.  Now the attacker only needs to craft a message that looks important enough for at least some of their audience to click on.

There are several methods the attacker can use here.  They may copy notification messages from a universal type of Internet service that nearly everyone uses (PayPal, Ebay, Facebook, etc.).  They could try to fake a message from a common financial institution.  Or they could pose as UPS or Fedex, letting you know that action is needed on your part or your shipment will be cancelled.  They might pretend to be a large retail chain or consumer electronics company.  Last, but certainly not least, is the lottery method (“You’ve won a Starbucks giftcard, click here to give us your mailing information!”).

The point is, if you think about it, it wouldn’t be hard to craft a fake email that you could get your friends to click on.  And the click is all it takes.  The action is over and done before you’ve had time to rethink your decision and close the browser tab.


So what can you do to protect yourself?

Rule #1 – Go direct.

Got an email from Paypal that your account needs attention?  Open a new browser tab and go directly to Paypal.  Message from your bank? Same thing.  If you need to call these companies, go directly to their website and find the Contact Us info.  And if it was actually legitimate, let them know you think their communications need some work.

Rule #2 – Hover over the link

Did you ever notice that if you put your mouse cursor over a link and leave it you get a little dialog box that pops up?  That dialog box shows you the actual link that you will be going to if you click on it.

Good News!
Awesome, I love ice cream!

Try hovering over the link:

Oh no!
Hmmm, that doesn’t look right….

This trick is not fool-proof, especially when the link is created by a marketing firm who wants to help their customers measure exactly who clicked on their link.  I find though that going to Google and search for whatever the email refers to gets me there just the same.

Rule #3 – There’s no need to rush.

It probably isn't really urgent.
It probably isn’t really urgent.

A common theme among these phishing schemes is that they often are crafted to create a sense or urgency in the recipient.  After all, if it doesn’t look like you need to deal with it right away, you will probably push it off until later.  If the message is screaming for immediate attention, alarms should be sending in your head.  Follow step 1 and 2 very closely on these.

Preventing phishing is a way bigger topic than what I can fit here in a blog post, but there are a number of additional resources to help you protect yourself from these kinds of scams.  And if you think you may have accidentally clicked on a link that may be suspicious, please don’t hesitate to report it to our Service Desk.

Some additional resources on protecting yourself from phishing attacks: – Microsft’s guide to preventing phishing. – The Securities and Exchange Commision offers their two cents. – A joint paternship between the Department of Homeland Security and industry groups, this site has lots of good information intended for consumers.

That’s it.  Thanks for reading!