By John M. Smith, Goodhue County IT director
Does something smell phishy?
No, not the fishing in Minnesota, and no that is not a typo.
This is about email "phishing." We have all seen them in the inbox - "Here is that important document you asked for" or "Click here to prevent your account from being closed" or the most well-known example, the Nigerian prince who wants to share his inheritance with you.
This type of phishing tries to catch you as the unwary prey and trick you into giving up something of value. And when they go after the big phish - company presidents, CEOs, CFOs - they call it "whaling." Phishing and whaling have now become the No. 1 cyber-attack method and it looks like it is only getting worse.
So what can we do? The short answer is, not much. As long as we accept that email is a vital communication tool, then we have to accept that bad people are going to try to find a way to take advantage of it. Just like the crank calls of my youth, before *69 and caller ID, people will try to trick you into doing something silly if they can.
We wanted to know if your refrigerator was running or if you had Prince Albert in a can (you can Google those if you are too young to know the joke), but the cyber criminals want something much more serious. They want to steal your identity or clean out your bank account or, in what has become one of the most common attacks, hold all of your data for ransom until you pay them to get it back. With phishing, it is always about money and it nearly always starts with an email.
While we cannot stop the criminals from phishing, there are things we can do to avoid taking the "bait." The first thing most organizations do is to install a filter between their email server and the rest of the world. This blocks most phishing and spam email, but some always get through.
With personal email, companies like Microsoft, Google, and Yahoo will filter your inbox, too. You can probably view your spam folder to see what they are blocking. However, even these giant corporations cannot catch everything and you will still find a phishing email in your inbox from time to time.
There are some things we can check when one of those emails does make it to our inbox. First, ask yourself if it seems "phishy." For example, does your friend usually send you emails with nothing in it but a weird looking link? Does that company you do business with normally send invoices by email marked "URGENT?" If not, you probably want to contact them by phone or with a new email asking if they sent that t
If there are links in the email, you will want to check those, too, before clicking on them. Look for things like minor misspellings - are there two i's where there should be one or are letters transposed? - or a strange prefix on the domain name - is it something like he.companyname.com when it should start with www? - or other differences that just look a little odd.
You can also look at the email address to see if it matches what you expect, though that is sometimes a little harder to verify. While it might display your friend's name or the company name you do business with, it could be something entirely different behind the scenes. You will want to see the email "header" information to see where it is actually from. (You might need to dig into your email program's help file or check with your email provider on how to see the actual email address.)
At the Goodhue County, we try to use all of the methods above and more, but we are still always on the lookout. We encourage all employees to use care when opening email links and attachments and to contact the IT Department if anything looks suspicious.
The criminals are getting more and more sophisticated and some phishing emails can appear entirely genuine. Don't take the bait! If something in your email inbox is unexpected or even the tiniest bit out of the ordinary, just ask yourself, "Does something smell phishy?"