Security vendor Trusteer blogged about a wave of fake LinkedIn emails that download malware on to your computer. The images Trusteer shows of the phish demonstrate how tricky the criminals are and how authentic the message looks, yet just yesterday I shared with you a foolproof method to prevent yourself from falling victim to such attacks… it is rule number 2.
2) If you click on a link and it leads to a log in page, close the browser.
Just don’t click on the links in the email. Here is what a LinkedIn email SHOULD look like. Notice the bold warning at the bottom of the picture.
Do not click on links in social networking invitations. You may have every reason in the world to believe the email is legitimate, but you will think that way when it is a phish. Type in www.linkedin.com and log in there to view your invitations and to look up your friend’s status updates.
Here is an example of a Facebook Friend request with the proper warning.
OK, to be fair, it isn’t just Facebook, it is virtually all of the social networking sites. Clicking on links in their emails is the perfect way to practice falling for phishing attacks and surrendering your username and password. Yes is it way more convenient to have a link served up for you to click on, but it is the precise behavior that makes phishing attacks wildly successful.
“There’s an exception to every rule.”
True enough. Here are the exceptions.
1) If you are not connected to the internet it is safe to click on the link as long as you turn off your computer before you connect to the Internet.
2) If you are dead, it is ok to fall forward onto your mouse and click on the link since you won’t be typing in your password anyway.
3) If you have disabled scripting, cookies and all active content in your browser and you don’t type in your password, it is usually safe to click on the link.
If you don’t meet the above criteria, then don’t click on the links in the emails. If you do click on a link and there is a log in form then please do not log in. Close your browser, open it back up and type in the address of the web site you wish to log into.
Airlines, hotels, and other online shopping sites often send emails with links to special offers. I just got an email from Marriott offering quadruple miles with participating frequent flyer plans. I could click on the link in the email, or use the best practice of typing in www.marriott.com, logging into my account there, and then finding the offer. I did just that and it worked. If the “offer” had been a phishing attack the result would not be pleasant.
There are two ways to avoid phishing attacks. The first way requires that you correctly identify every phishing email you encounter. This is not a realistic approach. Even experts can’t usually tell 100% of the time if a message is a phish. The second way is to not engage in the behaviors that make phishing successful. This means you do not login to any websites from a link in an email, instant message, SMS or other electronic communications, and that you never respond to such communications with your password. No matter how dire the warning is that your account will be closed or suspended, if it asks for your password it is always fraudulent.
Really, the two simple rules will protect you from almost every phishing attack known. There is no 100%, but this gets you closer to 100% more easily than any other viable approach I know.
Director of Technical Education
Cyber Threat Analysis Center
ESET North America