Your Bank > Education and Advice > CNB University

Don’t be Fooled this April

By John B. Folkerts, CISSP, Information Security Manager, Canandaigua National Bank & Trust

Abe Lincoln is reported to have said that “you can fool all of the people some of the time…” and it’s true that every one of us has the potential to fall for a well-planned trick. We are not all-knowing, we get tired and distracted, and our ability to see what’s really going on suffers in these kinds of circumstances.

So, it shouldn’t surprise us that cyber attackers love to target fallible humans to achieve their goals. The most popular of these tricks is known as “phishing,” where the attacker sends a message (over email or social media or SMS text) that contains some “bait”–but also a “hook.”

The bait can be any kind of convincing story or emotional appeal. Some examples recently used:

  • “Your package has been delayed. Click here to view status”
  • “It’s time to upgrade your email account. Click here to upgrade!”
  • “Your bill is overdue! Click here to avoid late fees.”
  • “You are owed a tax refund. Click here to claim your refund.”

The bait works best if you don’t think before taking action. Usually the action (the “hook”) is to click a link or open an attachment. Once you’ve taken that action, it is particularly dangerous to the average computer user. Links can be used to capture your password or direct you to a malicious website. Attachments may install malware or steal data from your system.

What can you do to prevent this from happening? First, slow down. Think before you click. Make sure you know the red flags of phishing:

  1. Suspicious sender address. The sender’s name may appear to be a legitimate business or even a friend, but the address could be from a strange domain, or using an unusual username.
  2. Generic greeting. Since phish attacks are sent to many people, they are often not addressed to you individually. “Sir/Ma’am” or “Dear customer” are generic greetings that should invite further investigation.
  3. Spoofed hyperlinks and websites. The phishing email may appear to link to a certain well-known website, but when hovering your mouse over the link, you will see a different website or domain. Cyber criminals may occasionally use link shortening services to hide their real website as well.
  4. Spelling and layout. Any poor grammar, misspellings, or inconsistent formatting would indicate a possible phishing attempt.
  5. Suspicious attachments. Any unsolicited email that requests a download or open an attachment should be verified before opening. Check with the sender to see if the request is legitimate.

Any time you are unsure about a message, contact the sender through a verified phone number, but avoid responding to the email directly. If you do think that you may have entered your password on a counterfeit website, change your password immediately and do not re-use the old password.

Phishing is one of the more popular methods to get at your personal data. Don’t take the bait! Know the red flags associated with phishing. Stop and think before you click. You never know when someone will try to fool you.

Want to learn more? Visit our Security Center for more information about protecting yourself against cyber and fraud threats.