Phishing for Protection

By Bryan Rafie, Spring 2016 Student Intern

The Internet is an ocean. Behind every computer’s screen lies hidden treasures, sunken ships, and giant reefs just waiting for the curious browser to experience. This electronic ocean is also host to a variety of predators, hardened by anonymity and isolation, all ready to ravage the unsuspecting victim. One of these predators is the phisherman. Every phisherman understands the key to survival is patience and selecting the right lure.

In our case the lure of a phisherman is a cleverly crafted title to a phishing email. A phishing email is an email from an individual impersonating a trusted business, government agency, or close friend to trick the recipient into passing on personal information. These emails have the general appearance of authenticity. They carry the company’s logo or letterhead. They use words or discuss subject matter related to the business or person they are impersonating. The Federal Trade Commission provides the following examples of phishing email messages:

  • “We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
  • “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
  • “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”

As you can see most of the examples require the recipient to take action. When the recipient responds to the email, the response goes directly to the impersonator who is collecting the information. In some cases these fraudsters will even create fake webpages, and provide a link to them in the email. Any information entered while at the site is transmitted to the impersonator.

A new kind of phishing email is the “Get Protected” email. This email pretends to be from the Social Security Administration, and will normally reference the IRS code, discuss protecting an individual’s social security number, and even discuss the S.A.F.E. Act 2015.

So how can you tell if an email actually is from the SSA? Are you just going to delete every email you receive from them, and what if its’ urgent and does actually require your attention? Here are a few tips to spotting a phishing email:

  • If the email ended up in your junk folder, it’s probably not from the government.
  • If it is from the government, and there is a link in the email, check the hyperlink. If it isn’t a “ .gov” extension, beware.
  • If you still have you doubts about the email, call the SSA using a phone number obtained from a source other than the email. They will be able to verify the email’s authenticity.

So what do you do with the email? You could just delete, but if you want to help fight crime you could forward the email to spam@uce.gov.