“There’s A Problem With Your Package From Amazon”

Security researchers at Check Point have warned that phishing attacks related to online shopping and shipping of goods has risen 440% in November, indicating a huge rise as people are shopping for the holidays – even moreso online with the global pandemic this year. As such, this seems like a great time for all of us take a moment to remember the basics of phishing and how to protect ourselves.

What is Phishing?

Phishing is a technique almost as old as the internet itself. Phishing is when a malicious actor attempts to get someone to click on a link for malicious reasons. A few common examples you may have seen may include “there’s a problem with your PayPal account, login here to resolve it” and then it takes you a login page that looks real but actually forwards your login credentials to the attacker, or an email that says “here’s those files you wanted” and then includes what appears to be a Word document but it’s actually a virus. Typically, the goal of phishing is to get access to a person’s account, but sometimes the goal can be to plant ransomware, make a botnet, or pretty much any nefarious purpose. Don't underestimate phishing: it may seem silly and hard to fall for, but it's been one of the top methods of “hacking” since forever. I forget where I read this so I won't quote it as fact, but I do remember reading once that a former NSA officer admitted that it was the NSA's primary method of gaining access to a targeted account, even over all the other fancy hacks and resources available to the agency.

So What are the Defenses?

The main defenses against phishing come down to three major principles:

1. Vet your emails. If you get an email from FedEx about a problem with your package, first off did you order a package? Second, did it get shipped FedEx? As a more year-round example, if you get an email from a coworker with an attachment, were you actually expecting that attachment? Don’t be afraid to ask questions. If you weren’t expecting that email, call them and ask to make sure it was them.

2. Don’t click the link. Instead, go directly to the website and log in. For example, if you get an email from Amazon saying there’s a problem, go directly to Amazon and log in there. If the email was legit and there really was a problem, you’ll be alerted to it as soon as you log in. If you click the link, it might take you to a page that looks exactly the same but isn’t and scammers have gotten real good at faking it. Don’t trust yourself to catch it. These guys get rich off scamming people smarter than both you and me. Don’t risk it. If it’s an attachment, I think most of the time it’s probably safe to open (assuming you verified you were expecting it), but if you’re fairly tech savvy it could be a good idea to set up a virtual machine that you use strictly for opening email attachments to ensure that they’re safe.

3. Keep your antivirus updated. New malware is being built and discovered constantly, and no matter what antivirus service you use, they are doing their best to keep their definitions updated. By keeping your antivirus software up to date, you ensure it that it has the most recent definitions and it has the best chance of spotting a virus before it even gets in.

Advanced Defense

As with almost anything in privacy, there’s also a higher level of work you can do. For starters, using Linux greatly reduces the number of threats aimed at you. This is not a silver bullet. Malwares targeting Linux do exist. However, since Windows has over 75% of the market share (and is most commonly used by governments, educators, and other industries), most attackers focus their attention there. This means that just by using Linux, a great number of malware isn’t compatible.

Another advanced technique would be to use Virtual Machines. You can create a Fedora virtual machine for free in minutes and it will not only provide you with the excellent security of the Fedora Linux distribution, but also the additional advanced security of having a virtual machine. Think of a virtual machine as a computer within a computer, totally isolated from the device that it’s actually running in. While breaking outside of a virtual machine is not impossible for malware, it is incredibly difficult. You can create a virtual machine that you use exclusively for opening suspicious emails and attachments and further enhance your security.

Of course, whether you stick to the basics or try some advanced techniques, you should be using strong passwords and two-factor authentication on all your accounts. That way, even with the virtual machine strategy, your email account is unlikely to be compromised or taken over by malware. Remember to be on guard this holiday season, and I hope all your packages arrive on time and unbroken.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.