In everyday life the internet has become more and more important every day.
Let’s talk about something called phishing.
Wikipedia says that phishing is:
Phishing is a type of social engineering where an attacker sends a fraudulent ("spoofed") message designed to trick a human victim into revealing sensitive information to the attacker
or to deploy malicious software on the victim's infrastructure like ransomware.
I wasn’t quite sure who could fall for an attack that i considered too simple, too dumb.
Turns out I was wrong, on the personal implications and on the technical side too.
The correct thing to do when taking a look at something it’s starting out without prejudices, that’s what i did.
So let’s just put aside the various “It’s too dumb to work”, “No one would fall for that”
An example
This really happened to several people I know, but I changed details not to expose who’s interested.
Let’s imagine this scene:
You’re home, minding your own business, just filled your tax report, it’s pretty boring but you have to and you’re finally done with it, so you can relax now.
You receive an SMS message from the post office, you open it and it says you need to enter some personal informations for them as soon as possible and there’s a link on it.
You think it’s weird, you just use the P.O. service to log into the tax agency as an identification provider, it didn’t bother you before.
You probably did something, and you just want to finish it with your taxes.
But you have been told to be careful about notifications online, that you can pretend to be someone else so you are not sure what to do about it.
What do you do?
You should wait, reason a bit about what just happened and answer to a couple of questions:
- Did you start the interaction with whoever is contacting you (in this case the post office)?
- Are you sure who is contacting you is really who is saying it is?
The answer for both questions you came up thinking about it is usually “no”, especially the second one.
It’s really easy to forge an e-mail or SMS the sender it’s just text you can change to what you want, there’s no one stopping me to call myself “the president” or whatever I want to.
So don’t click on the link, or give personal information on the phone. Just acknowledge the request, if you’ve been contacted by a person, be nice and just tell you’ll deal with that later and hang up.
Then you can call the number you’ve been given and explain to them what happened.
Best of cases they really needed that info and you’re sure you can book an appointment to do what you need to do.
In the other case you notify them about the scam you’ve been victim, so they can inform the authorities and deal with it and you’ve not been scammed.
I personally prefer to notify the police myself too. I hate bullies and people who takes advantage of other people ignorance.
A discussion
It’s easy to pretend you are someone else, by phone, e-mail, SMS, Instant Messaging, whatever. It’s called social engineering, taking advantage of other people biases and good faith to scam and exploit individuals and business.
In a word that’s more and more faster, easy and connected also some thing that would have seemed sketchy some time ago does seem normal today. Who would have thought you could manage your insurance online?
It’s very important for everyone to always be careful of what you do, not to click on everything, it’s a bit like a game, shut up and let me go on with what I’m doing. But every action has consequences and sometimes the consequences suck. A lot.
I think is necessary to talk about it, especially to people that are not knowledgeable about informatics.
It’s important to talk to your parents, uncles, to your friends about it, it’s not that boring as a conversation, I tried.
Just tell them about what happened to a friend of yours, what you read online, and some interesting things will come up for sure.
Be responsible and give some good advices, like don’t click on links and make sure you started the conversation.
Bye, have a good one.