They got me…
So many times, I have told people how to protect themselves online. So many times, I have informed clients about the needs to hold every communication captive until proven otherwise. Yet, when the ruse was played against me, I failed to see the danger. After 15 years of working with others, I failed to recognize it until it was too late. Allow me to share my tale with you…
It started with an email.
An email addressed from my webhosting company. I clicked on the email header to confirm that it was indeed from a legit email address that handles these types of communications. I then clicked the very long link included inside that email so that I could begin the process of reauthorizing my outgoing mail and removal of the block currently placed on it.
This brought me to a login page. I quickly typed in my username and password for the webhosting account and was delivered to my webhost’s public facing Terms and Conditions page. Yet, this T&C page was static text, no forms for reauthorization, no links to advanced support teams to assist with this event; simply a link to an open page that any user can locate. So to be sure, I backed out and logged in a second time; only to be returned to the Terms & Conditions page.
Then it hit me…I just gave them everything to my hosting account. My personal hosting account that houses all my own pet projects.
I called into the host’s helpline and confirmed that I had indeed given over my contact information to a malicious party. I immediately changed my password and haven’t seen any further issue, but the fact remains that I fell for it; hook, line, and sinker.
How many red flags did you count? Sadly, there were many, but the counting of these failures in vigilance are a tale for another day.
How to Spot the Red Flags of Phishing
Allow me to walk through my pitiful example so I can teach you how to not fall for these phishing attempts. It is important to understand that email is horribly insecure, and that when communicating about important things, email is never your best option.
Email is great for sharing documented ideas and discussions, but urgent matters should always use email as a tool of communication and not as the sole method. Above, I relayed how I failed to recognize a phishing attempt, and due to that failure, I gave them exactly what they wanted: my login credentials for my webhost.
Let’s break down where and how I failed to be vigilant:
Failure #1 – I allowed an email to get my emotions raging.
This is a common trick that has been employed since the dawn of time; debt collectors use it, lawyers use it, even loved ones. Once we become even the slightest bit emotional we draw away from our focus and our decision making capabilities suffer.
Failure #2 – I assumed the email was from a legitimate address.
While, I did click the email header to identify the sender, I did not copy and paste that data into a simple text format like Notepad. It is very easy for spammers to spoof an address (make their email display as something different); however, in a simple text format that spoofing is removed to display the true code and address of the sender.
Failure #3 – I did not read the full text of the long link.
Had I taken the 5 seconds required to read the text of the link, I would have identified 2 separate red flags that would have led me toward doubting their identity.
Failure #4 – I clicked the link.
So many times have we heard it, and I have said it just as many times. DO NOT CLICK THE LINK IN THE EMAIL. Open your web browser, navigate to the webpage in question and log in your standard way. Your dashboard there should repeat whatever the email you received is saying.
Failure #5 – I logged in…twice.
NEVER, NEVER, NEVER, NEVER log in from a link you receive.
Failure #6 – DO NOT WAIT to contact your service provider.
When in doubt, reach out. No one wants to clean up an avoidable mess, we all already have too much to do.
Thankfully, I responded and changed my password before anything could happen, but I was blinded by the ploy and made a fatal error in assuming trust. Only through vigilance can we be safe from phishing attempts. They grow more sophisticated and targeted with each day.