Thursday, February 1, 2018

The Difference Between Spoofing, Phishing and Spam

Cyber criminals and scammers are very creative, artistic and inventive individuals. They seem to find a way to trick computer users into falling to their traps.

For most of us, the terms Spoofing, Phishing and Spam seem to denote the same thing. However, they are different from each other. Knowing what to look for can help you stay safe from their effect.

Let’s take a look at their definitions....
Spoofing
Spoofing is the forgery of an e-mail header so that the message appears to have originated from someone other than the actual source. This is usually accomplished by changing the "from" e-mail address and/or sender's name of the message so that it appears to be from a known sender.

The spoofer (the attacker) hopes you have an account at that organization, which will complete the illusion. They know that if the recipient receives a spoofed email message that appears to be from a known source, it is likely to be opened and acted upon. Such emails request the recipient to reply to the message with valuable personal information such as an account number for verification. The spoofer then uses the information for identity theft purposes, such as accessing the victim's bank account, changing contact details, etc.

Phishing
Phishing is when a scammer uses fraudulent emails or texts to send you to a replica of a real website to get you to enter valuable personal information into that website. The information they are looking to get from you are account numbers, social security numbers, or your login IDs and passwords. Scammers then use your information to steal your money, your identity or both.

An example of a phishing scam would be that the scammer sends you an email that looks like it's from a real company that you do business with, such as your internet provider, an online store or even a real bank. The message may inform you that your account is locked. Then it instructs you to press the included button or link for you to go to their replica version of a real website, where you are instructed to give your account information. If you follow the directions, you just gave up your personal information to the replica site.

The replica of the real website looks like the real website. They have the company logo, log on button, privacy information, etc. It's done that way to fool you.

One clue that the site may be a fake is that the website address (in the browser's address bar) won't look exactly right. For example, the most web pages for Amazon.com will include that in the addresses (e.g. support.amazon.com). A fake phishing site may:
  • Have a different top-level domain instead of having ".com" (e.g. support.amazon.net)
  • Try to fool you by putting the company name ahead of the domain name (amazon.fakecompany.com). In this case, the domain is "fakecompany", not "amazon".
  • Spell the domain name a little differently (support.amaz0n.com). This uses a number zero instead of the letter "o".
Spam
Spam is sending many copies of the same unsolicited message in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, and often for dubious products or services. Chain letters, political mailings and other forms of non-commercial mailings are also categorized as spam. Spam is used since it costs the sender very little to send. They make their money on a few people (within a high volume) accepting the offer.

The CANSPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) Act of 2003 was signed into law setting national standards for the sending of commercial e-mail. It also requires the FTC to enforce the provisions under the law. However, many spamers send their messages from outside the United States, thus they ignore the law.

How to Stay Safe
  • Pay attention to the website’s web address. Malicious websites may look identical to a legitimate site, but the website address may use a variation in spelling or a different domain.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on your account statement, not information provided in an email. 
  • Check out the Anti-Phishing Working Group (APWG) to learn about known phishing attacks and/or report phishing.
  • Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. Don't follow links sent in email.
  • Keep a clean machine. Keep all software on internet-connected devices, including PCs, smartphones and tablets, up to date to reduce risk of infection from malware.
  • Install malware, anti-spam and virus protection software on all internet-connected devices.

Click here to contact me regarding this or any other blog topic. Also, I welcome comments, which you can post below.