For many people, the holidays means a dramatic spike in email traffic. There is more communication between family and friends, more solicitations from retailers pitching holiday bargains, and more online shopping confirmations and shipping notifications. It’s also a time of year when cybercriminals try to take advantage of the overwhelming volume of email communications to catch unwitting victims off guard with phishing scams. Hopefully you would be able to spot a fake malicious email and avoid getting compromised, but don’t be too sure.
A blog post from CBS News concurs, “Though email scams are a year-round concern, hackers ramp up their efforts around the holidays when anxious shoppers are furiously filling their shopping carts and wading through a sea of digital receipts, confirmations and shipping updates.”
It’s important for you to be able to discriminate between valid email messages, and malicious emails intended as bait. That’s why CBS News teamed up with Intel Security to publish an interactive phishing quiz. The online quiz presents you with a series of common emails, and it’s up to you to decide if each message is legitimate, or if it’s actually a phishing scam.
Here are a few tips from Gary Davis, chief consumer security evangelist at Intel Security, which you should keep in mind before you start the quiz:
· Keep your security software and browsers up to date
· Hover over links to identify obvious fakes
· Take your time and inspect the email, look for bad grammar and poor-quality visuals
· Go directly to the website to make sure the deal is also on the retailer’s homepage
· Click on any links in the email
· Share the email with friends or family
· Download content that your browser or security software alerts you may be malicious
· Give away personal information
Armed with those tips, go take the quiz. How did you do?
I scored a 70 percent using just one tip that Davis doesn’t mention. Take a close look at the email address the message is from. If the name says “Tony Bradley”, but the email address is “firstname.lastname@example.org”, you should assume it’s a scam. Some aren’t quite that obvious, though. For example, if an email says it’s from Bank of America—which uses the bankofamerica.com domain—but the email address is “email@example.com”, or anything that isn’t the actual Bank of America domain, it’s most likely a malicious message.
That method obviously isn’t foolproof, though, or I would have scored 100 percent instead of 70 percent. Once you’ve examined the email address, you should also look at the other factors listed by Davis—especially hovering over any embedded links to see where the URL actually goes. With a little common sense, and a dose of healthy skepticism, you should be able to identify and avoid phishing scams.
Ironically, literally as I was typing that last paragraph I received notification about a friend of mine tagging my name in a Facebook post. It was allegedly for a free $100 gift card for Macy’s, but the URL didn’t go to macys.com—it went to get-macys1.pw. My friend’s Facebook account was obviously compromised, and I commented on the post to warn others not to fall for the bait and click on the link.