Finance and Technology

Malware Attacks & How to Protect Yourself Part 2

Dec 2021 | By Greg Gazin

Phishing emails appear to be from legitimate sources, but are masquerading as your bank, Netflix, or a company that you’re with. Or, maybe the Email is telling you that there are updates to an application that you have installed.

Identifying Malicious Emails

Many of the emails that you get in your Inbox may be spam or scam – junk mail. They are usually attempts to sell you unwanted items or, unwittingly, try to convince you to send fees in the form of gift cards to Nigeria in order to collect a huge inheritance. However, many phishing emails are more malicious in nature and are designed to steal your personal information, give access to your webcam or take over your computer.

Some are well-disguised, but others are easily identifiable if you know what to look for. Take, for example, an email that’s supposedly from Netflix asking you to update your payment details. If you don’t have a Netflix account, no need to worry. If you do, hover over the address. Chances are it’s not from Netflix.

Phishing emails often have spelling mistakes and grammatical errors, as well as an unexpected, or inconsistent, tone. The email may switch from sounding too friendly to too formal within the same body of text. It may read overly verbose, or use vernacular attributed to a different country. If a bank is demanding payment within a fortnight, instead of 14 days, for an overdue investment loan, or if they refer to an RRSP as a 401K, then something’s fishy.

Under the Guise of a Legitimate Institution

Pay attention to grainy, or low-resolution, images, as well as outdated logos. CIBC recently rebranded. If you receive an email with the old logo, take note. A screen shot that was taken from a legitimate email, or a website, might have been pasted into an email.

Any email that asks for personal information, like your social insurance number or your bank account – even PIN numbers – are fake, as no institution would ask you to provide such sensitive data in an email.

If In Doubt – Don’t

If you’re not sure about the sender, and even less sure about the attachment that they sent – don’t open it. Attachments can contain viruses when opening and downloading, that might install code to take over your computer. If the attachment has an extension of .exe (executable) or .scr (script), then they are definitely suspect.

Links (also called URLs) are another common phishing technique. They may appear to link back to a legitimate source but, again, if you hover over it, it’ll take you to somewhere totally different. Others might look like that their pointing you to a legitimate website, but if you look closely, the web address may be off by a single letter. Apple may appear as Aaple or Appple, or an “O” may be disguised as a zero, which can be easily missed in a long web link.

If It’s Too Good to be True

When you see a special offer, it’s natural to be tempted to click on the link. To be sure, search for the company’s website to see if the promotion is being offered. Don’t trust phone numbers. Again, go back to the source and contact them through their legitimate link.

Verification is the Way to Proceed

Some email services, like Gmail, will automatically flag malicious emails through advanced phishing and malware protection. A warning may appear right within the email.

Microsoft offers ‘Defender for Office 365’, with protection built right into their suite of Apps.

Companies that specialize in anti-viral protection, like Norton, include a free safe web checker called SafeWeb, which offers its opinion, as well as a community rating on the link/site if previously reported. Another free URL checker is e.Veritas. AVG offers protection by alerting you, and then stopping you from going to the site once you’ve clicked on it.

Google Transparency Report offers you safe site status, which includes legitimate sites that may have been compromised. ScanURL doesn’t check the link itself, but goes to a third-party service for verification.

If you feel you’ve been compromised, contact the company immediately, change your password and run a scan on your computer. Nothing is ever foolproof, so proceed with caution.