Got Caught with a Phishing Attack

Yesterday I received an e-mail from what I thought was my e-mail provider telling me I needed to change my password. It is something that happens every year or so. It really should be more frequent but I never look forward to changing passwords and am happy with the current frequency. I put off changing my e-mail password yesterday and decided to give it a try today.

First of all, the e-mail looked like it came from my service provider, which is to say it looked plain and simple. I clicked on the link and entered my current password. I immediately saw an invalid-password message. I entered my old password again with the same result. At this point I went back to the e-mail and realized someone was just looking to get my e-mail password. I felt like a fool.

Fortunately I realized within 30 seconds what was happening and immediately changed my e-mail password. I had to change it in my mail client for both incoming and outgoing messages. This caused very little disruption but I still felt bad for something I should have been able to prevent.

There is a rule we should all follow when an e-mail asks us to log into a system. That rule is to type in the URL of the site asking you to log in and not just click on the e-mail link. I didn't do that and now I can never use that password again for e-mail. I probably should never use it for anything. That is too bad because I liked it and doubt anyone would have guessed it even though I had an easy time remembering it. 

Fixing E-mail SPAM Filters

One of the new benefits from my company I am receiving this year is identity protection. I received an e-mail from our service and it had all sorts of warnings on it that indicated the message originated outside of my company's network. Before setting up the service, I had to review my benefits to make sure it came from the company actually providing the service. Our IT department loves to test our Phishing skills and sends us bogus e-mails about once a month. When we flag it as a Phishing e-mail we are told if the e-mail really is a test. Once I verified the valid e-mail message, I logged in and set up my account.

Our identity protection company suggested using a personal e-mail address. They then asked to verify it. I did and they sent a message with an 8-digit number they wanted me to enter into their website. When the message didn't arrive quickly I looked at my SPAM filter which didn't have the message either. While I waited for the verification code to arrive, I investigated my SPAM filter settings. I don't know why I have not done that before.

Whenever I go through my SPAM report and see an e-mail that should have made it to my inbox, I click the "Allow" button. I assumed this would allow all e-mails from that sender through. When I checked my filters, I had a number from the same companies but with different senders. I didn't realize that companies changed the senders based on the message being sent. While I would have loved getting a message from anyone at Disney.com, the sender looked like:

123abc@disney.com

Furthermore, there were a number of subdomains like:

456def@email.disney.com

What I really want is to receive everything from any part of Disney. In order to do that I had to go into my SPAM filter settings and created rules for "Allowed Domains" and not just "Allowed Senders". I went through all 57 allowed-senders rules and converted them to allowed-domains rules. Then I went back and deleted the duplicated rules in allowed-senders.

I have been spending several minutes a day going through the message subjects of the e-mails caught in my SPAM folder because no matter what I tried, I couldn't figure out why clicking the "Allow" button wasn't allowing all messages from particular companies through. Now I know why and will be proactive in making sure I create the correct rules. In the future, I hope to not have to spend any time reviewing my SPAM messages.

Phishing, Smishing, and Vishing

Every year Sony makes me take mandatory security training and I recently went through the exercise again. Whenever there is annual training, it is best to try and figure out what is new or has been changed. This year I learned two new terms: Smishing and Vishing.

I already know what Phishing is. Anyone who has had an e-mail account knows that scammers will try to send you an e-mail that plays on your emotions to get important personal information. Most of the time the e-mails are easy to spot and I quickly delete them.

The younger generations have mostly ignored e-mail and prefer phones. They fit in your pocket and so texting has become second nature to them. I used to hate texting as I saw it screw up a lot of meetings and slow things down. Now I don't mind it as it is an efficient way to communicate. This is what scammers use for Smishing, your mobile phone. It is the same thing as a Phishing attack but comes over your phone instead of through e-mail. Someone asking for the recently received code your bank texted to you would be an example of Smishing. The term is a mix of Phishing and SMS messaging. As with a Phishing attack, you should never share personal information via text messaging.

So what is Vishing? That is when a scammer calls you or uses voicemail to request sensitive information like passwords or bank information. With current artificial intelligence technology, scammers could call using your spouse or child's voice asking for a password. Therefore it is important to verify phone numbers whenever anyone asks for sensitive information. Even better would be to call the person back as phone numbers can be spoofed as well. Perhaps this is why there is a new word for something I have always considered Phishing until now.

There are relatively few scammers in the world but it feels like they are everywhere. This means we all need to be vigilant about not sharing secret information that would allow them to get into our bank accounts or steal our identity. Vocabulary for Phishing, Smishing, and Vishing just means that they are using every tool possible.

Digital Privacy

This afternoon I checked my personal e-mail and received a message claiming to be from my company. While I work for Sony, my personal e-mail is through a domain that I own and it looks like another company. The message claimed to be from the admin account and said that I had 3 undelivered e-mails because they were SPAM. My e-mail account has a different filtering mechanism and I would never get an e-mail from the "admin". I had a link I could have clicked but I'm sure the results would have been nefarious. This is what is known as a Phishing attack. Paying attention helps ensure I don't inadvertently install a virus or malware on my computer. This has the potential of releasing all sorts of personal information to bad actors that can steal my identity, drain my bank account, and ruin my credit.

Your digital privacy is very important and you should do everything you can to protect it. Being aware of potential phishing attacks is only one step of many. I also limit the information I share with various websites where I have login accounts. I never provide my social security number nor do I provide my birthday. There are many websites that require a birthday simply to verify age. I use the same fictitious date for such occasions and avoid providing my real birthday if I can help it.

Another trick to maintaining your digital privacy is to limit your payment information. There are a lot of websites that want to make purchases as simple as possible and so they offer to store your credit card information. Then you just have to hit the "purchase" button and it automatically bills your credit card. I actually have my primary credit card memorized and re-enter the information every time I make a purchase from infrequent accounts. It only slows me down a few seconds but gives me piece of mind every time I receive an e-mail about websites being hacked and payment information stolen.

One final word of caution is to severely limit who has access to your bank account information. This includes debit cards. Once someone gets into your bank account, it is very difficult to get your money back once it is gone. By using credit cards for all payments, you have a level of protection that ensures you don't lose any money. You just need to notify your credit card company about fraudulent transactions and they will credit your account while they investigate. You may have to provide additional documentation but most credit card companies will catch the invalid purchases before you do.

Unfortunately there are some thieves out there and the ubiquity of the Internet makes it easy for a small number of bad guys to inflict harm on a large number of good ones. Taking your digital privacy seriously will help reduce damages. I just wish there was a sure-fire way to keep yourself 100% secure.