Doug Austin

Despite the Cold, It’s Always Good Weather for Phishing: Cybersecurity Best Practices

It’s going to be a cold few days for a lot of us in the US.  Even in Spring, Texas (just outside of Houston where I live), it’s expected to be freezing for parts of this weekend and all the way down to 10 degrees(!) on Monday evening.  I can only imagine what it’s going to be like up north!  But, regardless how cold or hot the weather is, expect a lot of phishing this weekend!

This week on his eDiscovery Journal blog, Greg Buckles detailed an attempt he encountered involving a supposed hack of his Amazon account, where he received an automated call with a digitized voice indicating that there was a suspicious large transaction on his Amazon account.  Greg, noting that he “buy[s] a lot online”, pressed the digit “1” when prompted to be connected with the security team.  While waiting, he checked his Amazon order history and didn’t see any large new purchases.

When “Alexander”, the “customer service rep”, came on the line, he tried to get Greg to connect to the “secure Amazon server” to resolve the issue, but Greg’s questions about the process caused “Alexander” to hang up.

Phishing attempts can come in just about any form – via email, phone call (like Greg received) or even text.  And most of the time, they’re ignored or correctly identified as phishing attempts.  But, it only takes a few “bites” (out of thousands or even millions of attempts) to succeed to make the phishing exercise worthwhile.

However, not every account alert you receive is an actual phishing attempt.  Recently, someone I know well forwarded me a text she received asking about a purchase on her bank card account that she didn’t make, and it gave her a number to call.  I suggested that she get her card and confirm that the number was the same as the one on the text.  It was, so she called the number.  Turned out that there were actually several questionable transactions on her card and her card info was apparently captured by a “skimmer” at a gas pump which was located just across the street from the first questionable transaction.  So, this time, the alert was legitimate, and the bank canceled her card and issued her a new one.

How do you discern between phishing alerts and legitimate ones?  Here are some suggestions:

  • If you receive a phone number to call, don’t call it until you verify the number is associated with the account in question;
  • Don’t click on any links in emails you have questions about – you can hover over the link to see the actual link, which may be quite different than the site it purports to be;
  • Always check an account in question for activity instead of taking the alert as correct;
  • Block any suspicious phone numbers or email addresses from contacting you again (but, whatever you do, don’t unsubscribe from suspicious email addresses).

Oh, and always keep your malware protection up to date!  Forget “trust, then verify” – “verify” before trusting!  It’s always good weather for phishing!  Even when it’s as cold as it will be this weekend (in much of the US at least).  Stay safe!

KLDiscovery

So, what do you think?  Do you have any phishing attempt “war stories” to share?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply