Recently I've run into a few phishing attempts online, I've even had family members fall victim. As a software engineer, I take online safety very seriously so I thought I'd share some of my methods for staying safe here. I hope this may be useful to some people here especially new internet users, older folks, and those online dating. Remember there is always a person on the other side of the screen.
What is Phishing?
From Wikipedia:
"Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware."
Throughout this thread, I am also adding to the definition that a Phisher may also attempt extortion, blackmail, or theft.
How to spot a Phisher:
1) The phisher asks where you were born, your mother's maiden name, the name of your first pet, or best friend, etc.
2) The phisher uses inconsistent names or aliases.
3) The phisher inconsistently claims they work for household name companies such as Microsoft, Google, AT&T, etc.
4) The phisher sends pictures of "themselves" but it is another person or two different pictures of similar-looking people.
5) The phisher asks for money, this could be for "travel expenses" or for an "emergency" or fee for a larger "reward", typically requested via gift card, Western Union, bitcoin, or mailed cash between magazine pages.
6) The phisher requests a lude photo of yourself.
7) The phisher requests to take control of your computer to "fix" something.
8) The phisher asks for sensitive information such as passwords, SSNs, IDs, or other credentials.
9) The phisher is not the location they claim to be.
10) The phisher's email address or phone number is in a known phishing database.
11) The phisher has poor English skills, a foreign accent with a Western name, is overly flirty, too good to be true, or recycling information you said back to you.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The above actions should be considered red flags in an online interaction with someone you have not met. Here is how to combat them.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1) These among others are common security verification questions, avoid sharing this sensitive information with strangers. Sometimes these things come up in natural conversation, dodge the question if you're uncertain of the intent of the other party.
2) Ask the phisher to clarify what their name actually is.
3) There is a high likelihood you are being phished especially if they contacted you first. If you contacted them double-check the domain name or email address and make sure it is an official domain.
4) If you are unsure if that is really a picture of them do a reverse Google image search, often profile pictures are stolen from LinkedIn or Facebook accounts, make sure the names of those accounts match the name the individual gave you.
5) Unless you've met them in person, know them well and can hold them accountable. Never do this.
6) Never do this, this can lead to extortion or trafficking. It is also worth noting that on some mobile phones even if your naughty bits are outside the image the image meta-data may contain a larger picture that is more revealing.
7) Only do this if you are 100% certain it is a credible, insured, and legitimate technician. Stick with local tech support if you need something fixed.
8) Never do this.
9) A way you can verify this for Gmail accounts is from a desktop computer, click on the 3 dots. Click "Show Original", then copy the text and paste it into the
Google Header Analyzer Tool. Click analyze. Copy the first domain in the "from" column. Paste the domain in a
whois search this will tell you what Google mail server the email was sent from, this should be near their location (CA, or VN, etc. datacenters).
A more precise way would be to get the phisher to click a disguised link that reveals their IP information to you.
10) If their email appears in a database, block communication or waste their time.
11) If the phisher is obviously from Lagos Nigeria, Hyderabad India or another scam hotspot perhaps avoid them.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So you've gathered enough evidence and you suspect you're being phished, what's next? (be absolutely certain)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1) Hint that you're onto them, if they realize they have been made they may respond in a few ways:
- Curse you out.
- You never hear from them again (they're wiping their computers).
- They double down to try to get money one last time.
It's always good to waste their time, the more time they spend on you the less time they have for other victims.
A great way to do this is to simply say that you will not send money, nudes, or sensitive information for any reason until you can meet in person in a public area. If neither of you has the intention to meet, then question why you're communicating at all and examine their motive.
2) Report phishing (in Gmail, click the 3 dots, select report phishing). Mobile phones may have a report spam button.
3) If you're very skilled you may be able to turn the scam around on them.. legally this is questionable.
4) Report to authorities or professional scam baiters.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So you think you've already been scammed?
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
1) Take your lumps and move on, lessons learned.
2) Contact your bank or the local cybersecurity division of your police station or the FBI depending on the severity of your loss/extortion.
3) Hire a private investigator or white-hat hacker.