Users must keep up when phishers get more sophisticated

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

In recent weeks a spate of new phishing attacks has ensnared many unsuspecting users. These traps have cost untold sums of money to organizations and individuals far and wide. Avoiding such ruses, however, requires only a modicum of diligence.

The most common of these attacks involves sending links in emails purporting to be from a variety of legitimate vendors of popular products such as Dropbox or Microsoft Office 365. The phishers are sophisticated enough to know that you have an account from the vendor as well as design their attack to avoid detection by spam, virus and malware filters.

The email instructs you that you have a file waiting to be downloaded or that you have exceeded your account limits and need to delete files or emails to avoid additional charges. A link, disguised to look legitimate, is provided, with the direction to click on it to resolve the issue. Clicking on the link results in various outcomes, all bad. It can be a virus, malware or even ransomware.

This particular ruse is easy to avoid. Senders disguise or “spoof” their email address to look real when in fact it isn’t. So, for example, while the email might say it’s from “Microsoft Administrator,” the address is actually from some domain that is not Microsoft.com. Most email programs today not only show the name of the sender, but the email address as well. Sometimes this requires that you “hover” your mouse over the name, a function that often does not work well on smartphones, so wait until you get in front of a computer. If the email is not from the official domain of the vendor, it is a hoax.

More importantly, if you have any suspicion at all about the link, do NOT click on it. If you are concerned that the message may, in fact, be legitimate, you can always go directly to the official website. If there is actually a file waiting for you at Dropbox, you will get an alert upon logging in at dropbox.com. Similarly, if you have exceeded your email quota, you will get an alert upon logon at microsoftonline.com.

A variation on this scam tries to entice folks into opening email attachments. In this con the phisher has figured out that you often exchange emails with a particular organization, so they spoof an email that looks like it comes from that organization. This deception also tries to get you to click a link or open an attachment. Regardless, that click triggers a virus, malware or ransomware.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

Again, a little bit of diligence goes a long way. If you are not expecting such an email or don’t recognize the sender, take care before clicking the link or opening the attachment. Double-check the email address as described above, and if still in doubt, call the sender. The fact of the matter is that no one has ever gotten fired for not opening an attachment.

Keep in mind that this is not just a recipient-side issue. When you are sending emails, especially those involving money, or include links or attachments, take a few extra seconds to make sure it has some degree of formality and authenticity. Don’t just send it and say, “Hey click this link.” Fix the auto-spell-check errors, add your signature, perhaps add some other info that only you and the recipient know; for example, “This is the link you asked me for when you called me earlier this morning.” This will help everyone be more efficient.

John Agsalud is an IT expert with more than 25 years of information technology experience. Reach him at jagsalud@live.com.