As summer has come to an end, so has the fishing season. If you like to fish, I hope you had a good year!
It’s phishing season here too. I wrote last year that It’s always phishing season, but a new crop of issues has come up and they’re good to learn about. My Facebook friends have been abuzz about one where people call up and complain that a PC is sending out some kind of spam or other bad email and the caller can fix it for a price. This scam had been around for at least a few years. Some versions are a phishing scam because they ask for information about your PC so they can connect to it and “secure it”. They want login credentials, among other information. My advice these friends is to never give that info to anyone. It’s the same advice I give to participants in Learning Tree Course 468, System and Network Security Introduction and I’m telling you the same thing now, “Don’t do it!”.
On to some new stuff. First the good news: the US Army tried a phishing test on its staff. This article in the Fort Hood Herald tells more about it. Civilian companies do this, too, of course. It is important to test security and see whether or not people are actually doing what they’ve been taught to do. Some of the critics, according to the article, weren’t happy with the way it was done, and I can’t comment on that, not having seen the actual emails, etc. The point is that phishing is real and that the DoD needs to ensure that its civilian and military personnel are aware and they don’t get compromised. I applaud the test, even if perhaps it could have been done better (as some have said).
Much worse is the Google docs scam. I have used Google docs and I like it. I like the idea of not having to have software on my laptop or tablet and still be able to edit spreadsheets, presentations, and so forth. It seems that some clever attackers sent out emails trying to get unsuspecting victims to connect to Google docs to view a file. As you might suspect, the victims were sent to a compromised server where their credentials were collected. The key here is not to connect links from senders you don’t know. Of course, senders can spoof the sending address, but that’s a much more targeted attack (called “spear phishing”).
Diligence is the key here. You need to keep on your toes. I know that with possibly hundreds of incoming emails per day, it’s hard to manage, but that’s what the attackers rely on. Let us know in the comments below what kinds of phishing attacks you’ve seen and how you’ve known they were phishing.
I hope all of you enjoyed the fishing season (if you like to fish) and keep safe from those phishing for information.