Global network planet earth world map.

How to Not Get Hacked by a Phishing Attack

Written by Dane Jasper

November 5, 2008 | 4 min read

We are seeing more reports from customers about “phishing” emails. These are attempts to steal personal information by misleading you into replying with sensitive personal or banking data.

One type of message claims to be from Sonic itself, and says something along the lines of:

> We are currently carrying-out a maintenance process to your sonic.net
> account to fight against SPAM MAILS,to complete this process and if
> you are the rightful owner of this account you required to reply with
> below information of your email
>
> User Name here:(**********)
> Password here(**********)

I love it. Well written stuff, “you required to reply”! Another example:

> We are currently upgrading our data base and e-mail
> account center. We are canceling unused web mail email
> account to create more space for new accounts.
>
> To prevent your account from closing you will have to update
> it below to know it’s status as a currently used account.
>
> CONFIRM YOUR EMAIL IDENTITY BELOW
> Email Username :
> Email Password :
> Date of Birth :

It’s funny in a way, they say “to create more space”, like “it’s getting crowded over here on the Internet, sorry, we’ve got to delete you to make more room in the tubes!”

Another message attempts to create credibility via a signature line, “COMFIRMATION CODE: Sonic.net-/93-1A388-480 Technical Support Team. Another, “Sonic Support/Maintainance Team TSR. I am not sure what a “Team TSR” is, but if we meet them, I can assure you the real Sonic.net staff will beat them soundly at a game of Street Fighter.

The point is, there is an urgent call to action that is totally contrived, but which is intended to get people to react.

They are simply trying to fool customers into providing sensitive information. When these phishing emails arrive, we react and block them, and we block the reply address so any responses customers might send do not make it back to the phish’s sender, but it’s an ongoing and reactive process.

Please, don’t be fooled. Sonic will never ask for your password. We will not ever email and ask for it, and we will not call you and ask for it. (BTW, when these type of things are done over the phone, it’s called “social engineering”, as opposed to email, where it’s called “phishing”. Either way, think before you respond!)

The senders are hoping to gain access to your email box. They would presumably then use this to attempt to gain access to online banking and other sensitive resources. Always use a strong password for your email, and never give it to anyone under any circumstances.

Phishing is a growing problem on the internet, with criminals engaging in all sorts of ruses in an attempt to steal personal and banking information. The Department of Justice advises email users to “stop, look and call” if they receive a suspicious email.

  • Stop: Resist the urge to immediately respond to a suspicious email – and to provide the information requested – despite urgent or exaggerated claims.
  • Look: Read the text of the email several times and ask yourself why the information requested would really be needed.
  • Call: Telephone the organization identified, using a number that you know to be legitimate.

If you have been “phished”, and believe that you have provided sensitive information about yourself through a phishing scam, you should:

  • Contact the business or financial institution affected.
  • Contact the three major credit bureaus and request that a fraud alert be placed on your credit report. The credit bureaus and phone numbers are: Equifax, 1-800-525-6285; Experian, 1-888-397-3742; and TransUnion, 1-800-680-7289.
  • File a complaint with the Federal Trade Commission at www.ftc.gov or 1-877-382-4357.

Consumers should never provide their personal information in response to an unsolicited telephone call, fax, letter, email or Internet advertisement. Don’t get hooked by fraudulent phishing attempts!

To learn more about phishing, see the Wikipedia phishing page.