Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details… by masquerading as a trustworthy entity in an electronic communication. ~ Wikipedia [Source]
Earlier this week I received an email from a friend of mine inviting me to view a document that he just uploaded for me to Google Docs. To access the document I should click on a link in the email. At least, that is what the email claimed!
However, something about the email seemed strange.
Lesson: listen to your gut feelings. If something seems out of place, something probably is. Exercise extreme caution.
Instead of clicking on the link I reread the email closely. Sure enough, the email was sent to me from a real friend who I have traded emails with in the past. So it must be legit, right?
Lesson: just because an email comes from a friend’s email account doesn’t mean it was actually sent by that person. Anyone who commandeers an email account can send out emails from that account.
Furthermore, the email was sent to me as a blind carbon copy – bcc. Again, strange. Why would a personal friend share a document with me and use the bcc feature to send the email? After all, bcc is rarely used and when it is used it’s normally used when mass emailing the same message to a large number of recipients.
Lesson: Exercise caution when an email is sent to you via bcc. bcc is used to hide information. Why exactly is the person trying to hide something?
Something else about the email was strange… it was completely unexpected. Sure I know the person who (supposedly) sent the email, but we haven’t exchanged emails in months and he never shared with me a document in the past. It’s not like we were actively working on a project together.
Now this arrives completely out of the blue without one single word of explanation as to what the document is about! Strange.
Lesson: people are creatures of habit. If a friend does something out of character maybe, even probably, that ‘friend’ is really someone else pretending to be them.
To further examine the increasingly mysterious email I hovered my mouse pointer over the embedded link being careful NOT to actually click the link. While doing this most web browsers show the actual web address (URL) of the embedded link in the lower left hand corner of the browser’s window. The actual URL that the link connected to was NOT a Google Docs address. It wasn’t even a Google address– it was something that I never seen before and had nothing to do with either Google or my friend.
Lesson: Something is seriously wrong. This is DEFCON 1 — war is imminent. Ok, maybe not war– but you are probably one or two mouse clicks away from being hacked.
Before proceeding any further with the email I contacted my friend to see if he was actually trying to send me a document. About 36 hours later I received his response: “No. Please ignore. The email you received is spam.”
Lesson: If you receive an email that is asking you to do something and something doesn’t seem to be right choose another method of communication (phone, IM, Facebook, the options today are endless) to verify that the email is actually legit.
Remember: It’s ALWAYS internet phishing season and YOU are the fish