In 1993, The New Yorker magazine published the cartoon “On the Internet, Nobody Knows You’re a Dog” by artist Peter Steiner. More than two decades later, this simple illustration continues to highlight the double-edged sword that is the internet’s ability to widely spread information effortlessly. This is a powerful force multiplier for both good and evil, even more so if the information is wrong, or worse, deliberately misleading with no way to hold anyone accountable for the malicious activity. A few years back I wrote about how easy it was to misinform “the public” resulting in adverse consequences, a trend that seemingly culminated into a highly effective political strategy of deliberately spreading false or misleading stories on Facebook and other social media platforms. Unfortunately, fake news purveyors are upping their game and have now descended to building counterfeit websites that ape actual, legitimate news organizations, hoping to further obfuscate research into an article’s legitimacy now that social media news readers have become a little more savvy.
How does an average citizen tell the real from the fake?
As you might have already noticed, conning someone via the internet has become increasingly more likely and common. Where before we could roll our eyes at obvious spam emails filled with broken English and ridiculous schemes, our mailboxes and social media accounts are flooded with well-funded and cleverly disguised content that appears legitimate, and because no one has the time investigate every single thing we receive, we take the most expedient path to discovery – we click and consume without engaging some critical reasoning, the internet equivalent of finding out if milk is bad by taking a swig before giving it the sniff test. Unfortunately for us, clicking a bad link or passing along a fake news story will result in way worse consequences than a mouthful of sour milk. Dealing with bad milk is easy – toss that carton in the trash – but how do you hold accountable someone (who might or might not be a figurative dog) on the internet?
All hope is not lost. While it may be misleading to fear that anyone can remain completely anonymous on the internet, it’s actually still difficult to accomplish this. Maybe less so when you have the backing of a nation-state and an army of hackers whose full-time job is to cause disruption through fake news, but the tool they use, the internet, still sees and tracks everything, and spreads the truth just as freely and quickly as the false information. For now it will be a competition to see who can spread information more effectively, and the only way good prevails if we the audience engage our brains to the fullest whenever we take a dip in the currently muddy waters of the internet.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Just this past week I received 2 emails that looked very legitimate, but were in actuality very cleverly designed phishing emails meant to trick unwary individuals into making some bad decisions. And when I say “cleverly designed” I mean that even to my experienced eye, the emails looked very real, with properly implemented graphics, clever use of recognizable branding and even using text from actual legitimate emails to camoflauge the hook.
How did I know they were not the real deal? Well, first off, Gmail’s spam filters flagged them right away (score one for Google!) but there were a couple of other things that immediately marked them as fishy, and a little more investigation revealed the true colors of these sophisticated phishing attempts. These types of emails will happen more frequently once the cybercriminals realize how much more effective they are, so I think it’s time I showed you some techniques for spotting counterfeits before they trick you.
Apply Common Sense
Are you a customer of the company, service or brand that sent you an email asking you to do something? Is what they are asking you to do something that makes sense for that particular company/service/brand? In the example here, I received an email that looks like it was from ATT notifying me that my monthly account was ready for review. OK, this would have passed the “smell test” for me a couple years ago, but I’m not an ATT customer anymore. However, ATT is the largest cellular provider in the US, so it’s not inconceivable that many, many people thought this was a legitimate email.
Who’s the email from? And who is the actual recipient?
In the fake ATT email, you can see clearly that the sender on this email is totally bogus (outlined in RED at the top). Why would ATT be sending an email from the IRS? Always look closely at who the sender was on the email, especially if it looks like it’s something you might expect to see in your email box. Is that email address actually correct. Call up the sender to ask if they actually sent the email.
In my second example, the sender actually looks like it might be legitimate at a passing glance. They got the domain right, so now you have put your security glasses on and take a harder look. This particular email was sent to a recipient address that is an alias for a webmaster inbox for one of my clients. I know for a fact she uses Quickbooks, but I also know she would never have used this particular email address to register the product or create an account because it goes to my email box, not hers. On top of this, there are several other addresses in the CC field (including 2 that weren’t actually email addresses), something you should never see when receiving a legitimate, automated email from a company like Intuit.
But once again, the content looks legitimate, and it’s not unlikely that the phisher landed a few hooks, considering how widely used Quickbooks is in the business world. So, let’s dig a little deeper!
Are the embedded links legitimate?
Outlook provides a handy feature that allows you to roll over a link in an email and see the actual URL of the link, even if it isn’t typed out in the email (which it never will be in a phishing attempt). Webmail users may not have this function handy, depending on the browser and the service you are using. Regardless of what program you are using, NEVER CLICK LINKS THAT YOU CAN’T ACTUALLY VERIFY, AND IF YOU HAVE THE SLIGHTEST HINT OF DOUBT, STOP CLICKING AND START DIALING FOR A HUMAN! (If ever there was a justified need for all caps and bold, that was it.)
In my two examples, you can clearly see that neither of the “call to action” links actually go to sites that have even the remotest connection to either of the services they purport to represent. Why would my American ATT account need me to click a domain in Australia? Why would I ever download US Withholding Data from a domain with “latina dot com” in the name?
What this means for you:
These types of emails will continue to become harder to spot, and I will guarantee you that the cybercriminals will continue to improve their counterfeiting techniques once they see how effective they are as compared to the past easy-to-spot and detect trash that normally fills our Junk folders. Unless the good guys come up with better ways to protect us (and they haven’t yet!), the best defense is (as my good friend Prof. Moody likes to shout) “Constant vigilance!” Take the time to read all emails carefully, and think twice before clicking once.