By John B. Folkerts, CISSP, Information Security Manager, Canandaigua National Bank & Trust

Abe Lincoln is reported to have said that “you can fool all of the people some of the time…” and it’s true that every one of us has the potential to fall for a well-planned trick. We can get rushed, tired, and distracted, and our ability to see what’s really going on suffers in these kinds of circumstances.

So, it shouldn’t surprise us that cyber attackers love to target fallible humans to achieve their goals. The most popular of these tricks is known as “phishing,” where the attacker sends a message (over email or social media or SMS text) that contains some “bait”–but also a “hook.”

The bait can be any kind of convincing story or emotional appeal. Some examples recently used:

• “Your package has been delayed. Click here to view status” (What package?)
• “Your email account will be removed – click here to upgrade!” (I don’t want to lose access!)
• “Your bill is overdue! Click here to avoid late fees.” (What bill?!)
• “Thank you for your $403.96 payment!” (Wait, I didn’t authorize that!)

The bait works best if you act without thinking. The action they would like you to take (the “hook”) is maybe to click a link or open an attachment. Lately, attackers are putting a support phone number in a text message to get you to call. Don’t take the bait! Talking to a scammer on the phone never works out well, and links can be used to capture your password or install malware on your system.

What can you do to prevent this from happening? First, slow down. Think before you click. Make sure you know the red flags of phishing:

1. The communication is unexpected. Does your bank usually send text messages? For what reasons?
2. Suspicious sender address. The sender’s name may appear to be a legitimate business or even a friend, but the address could be from a strange domain, or using an unusual username. Perhaps it comes from a phone number with an unfamiliar area code.
3. Spoofed hyperlinks and websites. The phishing email may appear to link to a certain well-known website, but when hovering your mouse over the link, you will see a different website or domain. Cyber criminals may occasionally use link shortening services to hide their real website as well.
4. Spelling and layout. Any poor grammar, misspellings, or inconsistent formatting would indicate a possible phishing attempt.
5. Suspicious attachments. Any unsolicited email that requests a download or open an attachment should be verified before opening. Check with the sender to see if the request is legitimate.

What can you do if you are unsure about a message? Contact the sender through a verified phone number (look it up separately). Avoid replying to an email or text message directly. If you do think that you may have entered your password on a counterfeit website, change your password immediately and do not re-use the old password.

Phishing is one of the more popular methods to get at your personal data. Don’t take the bait! Know the red flags associated with phishing. Stop and think before you click. You never know when someone will try to fool you.

Want to learn more? Visit our Security Center for more information about protecting yourself against cyber and fraud threats.