If It is Too Good To Be True, It Probably Is – Cross Post

(Originally Posted on Information Security Buzz on 15 January 2014)

There are plenty of tips on the internet that give great advice on how to avoid phishing scams, and there will be other authors on this site that will be giving very similar advice. For me though, it always comes down to the following three thoughts that I keep in mind whenever I see an email that could possible lead to a scam.

1. Is it too good to be true?

Infosecurity-Buzz-January-2014.002.jpg.001-300x168If the email in question is offering me something for nothing, especially if there is money, or a monetary value involved, this type of email falls into the “too good to be true” category. I have yet to come across an example of when someone really was giving away iPad’s, cash or holidays without some kind of quid pro quo involved. If your answer to the above question even looks like it might be a “yes”, the email and its contents can probably be ignored.

2. Don’t Click it!

Infosecurity-Buzz-January-2014.002.jpg.002-300x168I have borrowed this particular phrase from Jaded Security who coined it a few years ago, and I like it because to be honest it is simple and memorable advice. There are nuances to this of course, but unless you are experienced just don’t click links in your email (see number three). As you get used to looking out for this kind of email there will of course be other telltales that will help you know if an email is genuine or not. For instance, is the email from a close friend, but they haven’t addressed you by your nickname, and seem to be oddly formal, or have more spelling mistakes (or even not enough) in their message? It could be that they have been compromised and you are in their address book and therefore being targeted.

Some people regularly send links in emails, others almost never; if that’s the case, ask yourself why they have suddenly started today seining you a link to a sneezing panda clip.

Finally, if your bank sends you a link to change your password because of system upgrades, don’t click the link they send, but go to your usual bookmark for them. Your bank should never do this anyway, but clicking on a link in an email like this is almost guaranteed to not send you to your bank, but a very convincing fake site set up to harvest your usernames and passwords. Just don’t click it.

3. Fail Safe

Infosecurity-Buzz-January-2014.002.jpg.003-300x168It is always better to mistake a genuine email for a scam rather than the other way around. The consequences of clicking something are very serious whereas the consequences of not clicking on the attached link are rarely, if ever, serious. Additionally, if it is a genuine request, the sender is likely to send a reminder or contact you through another medium such as SMS, letter or telephone. Of course there are plenty of scams through these mediums too (another topic perhaps?), but you will have the balance of probabilities on your side, and the knowledge you haven’t done anything stupid.

Tags: , , , , ,

About Thom Langford

An information security professional, award winning security blogger and industry commentator. Available as a speaking head and presenter on topics relating to information security, risk management and compliance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: