Phishing is the devious practice of tricking users into giving away their usernames and passwords to fraudulent sites. It is big business, and the best defence against it is constant vigilance.
I'm going to walk you, step-by-step, through a scam that targetted me today. Along the way we'll see how to avoid falling prey to these monsters.
It starts with a text
I was sent this SMS from a number that I didn't recognise.
Let's count the mistakes!
- In the UK, we place the currency symbol before the number.
- British English spells "authorise" with an S rather than a Z.
- Amazon don't send out links using the bitly shortening service.
These phishers are hoping that you're too stupid to notice the mistakes. They are also betting that you're too busy to think for a minute about whether Amazon are likely to contact you via SMS rather than email or app notification.
Let's say you're tired enough to click through, what do you find?
At first glance, this looks identical to the regular Amazon mobile sign in page.
But! Look closely. There are three obvious mistakes.
https- you should know by now that you never enter your password unless the website is protected with those magic letters.
- The web address is not
amazon.co.uk! It is some other site. Again, you should never enter a password unless you are sure that the site is legitimate.
- Finally - what is that � character doing at the bottom of the site? It should be a © symbol. Far too sloppy for Amazon.
Surely you wouldn't fall for this? Sadly, not everyone in the world is as bright as you.
Tell me more, tell me more
So, you unwisely entered your password. The scammers are already riffling through your Amazon account with the stolen password. They're buying themselves toys using your credit card. But they ain't done with you yet!
They want everything! Once they have your home address and phone number, they can bombard you with scams. Scroll down, and it gets worse.
Your bank details! Your mother's maiden name! Are these details enough for them to fool your bank? With all the information you're giving them, they'll be able to take over your entire life!
Fool me once
Because the scammers use bitly, we can take a look at how many people are clicking through this link.
By the time Bitly had flagged the link as malicious, over 250 people had clicked on it.
Would you have fallen for it? These scammers are betting that you're not paying attention. That you'll blindly trust any link you see.
Phone companies are powerless to stop this sort of spam - SIM cards can be purchased anonymously, and computers can pump out thousands of texts before their suspicious behaviour is noticed.
Bitly knows it is a vector for phishing attacks, but can't check every link before it goes live.
The only solid defence is you! It is up to you to keep your wits up, to examine every message you receive, and every link you click. You have to stay safe all the time - the scammers only need to get lucky once.
If you want to harden your defences, you need to take action now.
- Activate Two-Factor Authentication for Amazon - even if someone steals your password, they'll also need your phone in order to log in.
- Use LastPass to generate strong and unique passwords for every site you use. If you use the same password on multiple sites - it is only a matter of time before one is lost, and then all are lost.
Stay safe out there!