Part 1 covered attacks through your browser. Part is is about attacks via email. We just had a mandatory training for all employees at work because somebody had this happen to them on a work machine and it created a ton of trouble. You really have to be on the lookout.
The first rule is to never click any link that you get in an email. If you always follow that rule, you are extremely unlikely to have any problems.
Ok, we both know that rule will be broken. So what should you think about before clicking on a link in an email?
- Assume it’s a scam, a virus, or both.
- Are you expecting to receive a link from the sender? Did your buddy call up and say “hey I have this hilarious YouTube video, I’ll send you a link”? If so then you’re probably good to go.
- Does it look like something the sender would normally send you? Did your relative who normally writes you long text-only emails suddenly send you an email that only has a single link in it? Just leave it alone. Wait until you know that it’s something they really sent you before you click it.
- Is some entity like PayPal or your bank telling you that you need to view something on their website? I NEVER click links like this even if I’m completely convinced they are fake. The penalties for being wrong are too great. If my bank says I have an important message about my account security or PayPal says I need to adjust my account settings, I don’t click on the link. Instead, I open up a browser and manually type in the address for my bank. If it’s a legit message, it will also show up somewhere in my account on their site. This is an important guideline to follow with phone calls too. If I ever get someone asking for any personal information, red flags go off. For example, when my credit card company called and said my card had been stolen, they started asking for my social security number, etc to verify some things. I politely asked for the caller’s name and extension, hung up, called the number on the back of my credit card and got back to talking to that same person. That convinced me he was legit and I continued. It’s too easy to scam people this way! I’ve caught people in the act like this too. Just the other day I had someone calling to collect money for the “King County Police” (which is an imaginary org) so I asked for his name and badge number so I could call him back to verify he was legit. It was a scam and it was funny to hear him squirm. (I later reported it to the sheriff’s office though it probably doesn’t do much good.)
When in doubt, don’t open a link. If you have to open a link, assume it’s a scam or virus and don’t open the link. If you REALLY have to open the link, see if you can get to that site without clicking on the link. And if you REALLY REALLY have to click the link, make sure that the sender actually intended to send it to you.
Only the paranoid survive. Everyone else gets a virus.