Awareness is the best weapon against online attacks

The Internet is a dangerous place. That may be what your parents told you when you were young after reading some scary article about a bank account being drained from a scam. Certainly the Internet can be a dangerous place.

As I’m writing this, MTSU just sent out an announcement from the Information Technology Division (ITD) warning students of a scam being spread by email. Apparently someone is sending students emails claiming to be from the helpdesk, seeking information such as their name, MTSU account login and password.

With this valuable information, the attacker could login to a student’s MTSU account and get private information such as parent’s name and contact information, a copy of the student’s transcript, access to class information, and more. Moreover, with this access an attacker could login to the student’s email and use that as a means to reset passwords to popular social media sites, such as Facebook.

Clearly, unauthorized access to a student’s account login is not good. There are a number of things one can do, however, to minimize the risk or prevent such attacks all together.

These types of attacks are called Phishing. When I was young, I remember going fishing on hot summer days. However, this is a much different kind of Phishing.

Phishing is using electronic communications, such as email, as a means to fraudulently obtain private information such as usernames, passwords or credit card numbers. A certain level of “social engineering” goes into these attacks, because the attacker must present himself in a manner that makes the victim believe they are being contacted by an authority that has a valid need for requesting this information.

Phishing attacks go beyond the campus of MTSU though. Banks are large targets of this type of fraud. Users are constantly being bombarded with emails that appear to come from their bank with links in them. When a user clicks the link, they are taken to a site that looks like their bank’s website, but is far from it. These sites seek to have the user enter their password or account information.

Because the website looks similar in design to the bank’s official website, users are less likely to question the validity of the site and feel comfortable providing this information. The end result, unfortunately, is usually an empty bank account within a few hours. Certainly banks have measures in place to prevent this type of fraud, or to insure customers against fraud, but prevention is the best insurance.

Prevention is indeed the key. And prevention only comes through knowledge. Simply being aware of these types of attacks and knowledgeable of how to properly use email can go a long way toward preventing Phishing attacks and make the Internet a much safer place.

First, be aware that MTSU, your bank, or any other reputable institution will never seek personal or account information through email. Additionally, never release this information over the phone unless you initiated the phone call. If someone calls you and asks for this information, even if they are your bank, offer to call them back and verify the number provided is indeed who you think it is.

For email, it is wise to look at the From: address and verify the email address looks valid. Although attackers can manipulate email so the From: address looks valid even when it is not, many don’t even bother and you can quickly spot a fraud this way.

Next, never click a link in an email unless you know exactly who the message came from, you expect the link to be there, and you know where the website will take you. Links can be changed so that the text in the email is one address and the link you click is another, so it is usually better to copy and paste the link into the web browser rather than clicking the link directly.

Although not usually associated with Phishing, many attackers sent viruses and other malicious software through email in the form of attachments. Avoiding this is simple – NEVER open an email attachment that you weren’t explicitly expecting, including image files and office documents.

Truly, the Internet can be a dangerous place. Proper knowledge of attacks and careful use of electronic communication will ensure your private data remains private.