Generally, I rue users that click every link sent to them, however after our first real mass spear phishing attack, I’m now ruing users who reply to “official looking” e-mails with their username and password.

So what is phishing? Essentially it’s an attempt to get information from you. You know the “I’m a poor Nigerian widow who wants to send to $1M”? That’s a type of phish. Once they get your bank account number, it will be bled dry. When you get an e-mail wanting you to click a link and “login” to your bank account, but it’s not really your bank: that’s a phish.

Spear phishing, is even more fun. It combines traditional phishing with information someone knows to be true about you. It could be your membership in a group (ala the college/church/basketweaving class you attend), it could be your birthday – Something that you, the ignorant reader, will zero in on and go “Oh, hey, this must be legit because after all they know X about me! Here’s my username, password, Social Security Number, bank account number, ATM PIN, credit card number and CVV2!”

In the last 8-10 hours I’ve heard all sorts of defensive statements about why it’s not people’s fault that they fall for these scams, but it boils down, again, to trust.

.BE SKEPTICAL.

Just because “your neighbor” allegedly sent you a greeting card, doesn’t mean they did; just because “SUNY Potsdam” sent you an e-mail asking for your username, password, and birthdate, doesn’t mean they did; just because the smiling nice lady asks me for my credit card, doesn’t mean she isn’t imprinting it; just because “the government” says something, doesn’t mean it’s true.

.BE SKEPTICAL.

Don’t live in fear of the fact that no one is trustworthy, just be skeptical and verify verify verify.

1 Comment

Other Links to this Post

1. We Do Not @ M@Blog — May 22, 2008 @ 11:00 am

RSS feed for comments on this post. TrackBack URI

Leave a comment