At The End of the Phishing Pole.

Stephen Kennedy - Lead Web Developer
A man in a skull cap wearing a mask pointing at a laptop displaying a suspicious page and smiling.A basic diagram of what Phishing boils down to.

What is it?

Phishing (pronounced "fishing") is the process of "fishing" for more information about a person, often by posing as a source they would have no qualms about giving it to. Since the inception of the consumer, internet phishing has gone hand in hand with it. And as the internet has advanced, so too has the complexity of these scams. It is not uncommon these days to get extremely convincing emails from these con-artists in an attempt to get you to reveal even the smallest detail they can then use to steal or make money.

How to defend against it.

There is only one highly effective strategy against these, education and awareness.

The first line of defense is understanding the policies of the companies you are in regular contact with. For example, Microsoft will never ask for sensitive information in an email. So if you get anyone claiming to be from Microsoft asking for sensitive information over email, just delete the email and move on with your life. On the subject of Microsoft, they will not email or call if there is a problem with your Windows installation. All of their systems are automated, and your computer will notify you via the Windows notification center if it detects a problem. On Windows 8 and 10, this is found in your taskbar. It will not notify you via a popup in your web browser, and it will not play an error sound or siren.

A man suspended from the ceiling reaching for a computer. The pose is reminiscent of the famous heist scene from Mission Impossible.Most of the time, data theft is harder to spot than this.

The next line of defense is knowing what information is valuable enough to steal, and being reasonably suspicious of anyone asking you for that information. Don't give anyone your email password. Just don't. If someone is configuring your computer for you and they need your password to set up your email client, ask them to pass you the keyboard, make sure the popup is actually from your email client, and enter it yourself. Microsoft will never ever need your email password. Companies don't need your email password to put you on their mailing list. If you think I'm being unreasonable about this, do some quick mental calculations about how many services use your email to verify your identity. Anyone who has your email password now can access all of those services. Even those that offer 2-step authentication sometime fallback on just plain email authentication. Outside of your Social Security Number and your Banking Information, your email password is one of the most important pieces of digital information you own, and you should never give it to anyone. But by that same token, don't give out your Social Security Number or your Banking Information, no matter how many millions they have waiting offshore.

It also helps to understand the psychology behind these scams and how they work. Most Phishing scams are a kind of con called a confidence scam. In order for the scam to work, you have to trust that the person on the other end is who or what they say they are. They will go out of their way to prove this to you, often without prompting. Look at the information that is given to you. They will give you vague and hard to verify information that sounds reasonable, or they will give you information that is easy to fake. It's not hard to become a Microsoft partner, all you really have to do is offer to sell one of their products through one of their many partner programs, but just being a partner doesn't mean you are authorized to renew a Windows License. The devil is always in the details for this. Do your research, and if the person on the other end becomes agitated by your suspicions and desire to verify their identity, it should only make you more suspicious.

A man dressed as a ninja "fishing" for information on a businessman's laptopA diagram of every few minutes on the internet.

Finally, be aware of your resources. If you think something may not be right, open up a browser and do a quick Google Search on it. Research the company, see what their email addresses look like: does the address you received the message from look like that. Copy and paste a chunk of the email into Google and see if anyone is complaining that it is a scam. Understand how to view an email's source code and look at the header information. You don't need to understand a whole lot about the information you're seeing to notice that they may not be emailing from where they say they are emailing from. The header you're looking for should look like this 'From: "Example Person" ', and that domain should be associated with the company they are claiming to be a part of. Check the spelling. A reputable company has someone proof-read all of their official communications. It is very rare that obvious mistakes will make it out to the public in automatically generated or form emails. Many scammers target other countries for the simple reason that it's a lot harder to get caught and put in jail if your victims are divided by borders and language. But this has the advantage, for those of us trying to avoid scams, that sometimes their mastery of our language is a little questionable. If you get an email that is claiming to be from a company from someone you have never interacted with before, those couple of spelling errors could be the difference between you losing hundreds of dollars. Don't let them go unnoticed.

In summary, don't take anything on the internet at face value. Know what you need to be protective of. Understand how people will try to get it away from you, and above all, if your gut is telling you something is wrong, it probably is.