Phishing and You

Phishing - trying to mislead someone into giving you their login details.

TLDR (too long didn't read): An email that asks you to verify yourself by logging in is NOT TO BE TRUSTED.

A fair few blog posts ago, I did a piece of a particular phishing email that was making the rounds. You can read that here .... Ok, so it was more than a year ago - I'm not the greatest at content =S Anyway, today I was hoping to expand this a little because this ALWAYS needs to be talked about.

Often customers will receive an email from Telstra, Microsoft, the ATO, Netflix, Facebook or any number of popular, well-patroned, or necessary services. These emails will often tell the user that their account has been used for suspicious activity (hide in plain site) or that their service will be shutdown in 7 days, or some other equally fear or urgency inducing lie. These emails will then give the user a simple easy way to fix this problem by providing a login link and to just 'verify your account'. A particularly nasty Facebook phishing attempt can occur when someone's account gets hacked and their contacts get sent a link to a 'facebook post' regarding something either amazing or tragic with a message of "thank go you weren't there at the time!" or some other REALLY intriguing and vague message. I received one of these myself about a shooting in North Beach while I was IN North Beach, waiting for a customer, killing time on my phone. Almost got me - I twigged when I saw what came next (below). What they'll do is to direct you to a bogus site with a legitimate-looking login in prompt. At this point, you're usually still OK, but if you put your details in, they'll be harvested.

This site or service is now compromised and gives them access to any information available to that service - contacts? address? mobile phone? date of birth? etc.

An additional issue here is that a LOT of people use the same password for multiple services, and usually the email address is still used as the username, so basically, any other service you've used that password for is now potentially compromised if the hacker should go hunting...

The solution to this is:

· Have a different password for EVERYTHING and we all know THAT is a pain.

· Have a different password for everything and use a password manager to manage it all - and that can be a pain depending on how strict your manager is.

· Don't. get. phished... not really practical. There's some REALLY smart and very convincing phishing attempts out there.

· Take the middle ground - have a half-dozen different passwords, maybe different passwords for important things and reuse some lesser passwords for less important things and choose less possible pain, but from multiple possible sources

Online services are a convenience and this is the price we pay for such convenience.