We know we shouldn’t give out or usernames or passwords. In the digital age, sharing that information can lead to all kinds of trouble, including losing control of your account and theft of personal data. But when the request comes in the form of an email from a company with whom you have a legitimate account, it can be hard to tell if the request is bogus. In August 2016 GoDaddy customers faced just such a phishing dilemma.
Phishing, which is defined as “a fraudulent attempt to get you to provide personal information, including but not limited to, account information,” by phishtank.com.
The company was targeted for a phishing attack that sent customers an email describing a problem that needed their attention. But the link to the fake GoDaddy site with a login screen gave hackers control of the account. The company warned their customers after they learned about the fake request.
“The email states that there is an issue with the amount of directories in their GoDaddy account, and provides a link that appears to help. Once a person clicks this link, it directs them to what looks like a GoDaddy login page. However, if you hover over this link, you’ll notice it does not take you to GoDaddy.com.”
To make the point abundantly clear, the next statement looked like this:
Please DO NOT click on this link. If you do click the link, DO NOT fill in any information. This is a phishing email.
Hackread.com reported on this scam and had some fun with the GoDaddy logo. But it’s the way GoDaddy told readers how to respond that makes the lesson a valuable one.
Are You Being Phished?
If you’ve never seen a phishing email – or maybe you did but didn’t know that’s what it was – it’s difficult to know what to look for. Anyone can copy/paste a logo and match a text font, the common methods to visually verify the legitimacy of an email. To show how these illegitimate emails can dupe the receiver, GoDaddy provided examples of the fake emails, pointing out how the URLs were incorrect.
And showed customers where to look on the fake login page.
Unfortunately, some customers fell for it and were frozen out of their accounts. So the company used it as a teachable moment. The statement included what to do “if you clicked.” These instructions are a good procedure to follow anytime you think your click might not have been legit.
- Reset your account password.
- Update your account PIN and security settings.
- Review and verify your domain’s contact information.
- Update your account’s on-file payment methods. We recommend replacing all existing payment methods since credit card information can be used to validate your account.
- As an additional step, we recommend enabling two-factor authentication. This adds another layer of protection by requiring a one-time validation code to log in to your account or make certain account changes.
Report Early And Often
Most tech companies want customers to report these issues because it helps them to mitigate problems. Todd Redfoot, Chief Information Security Officer for GoDaddy, explains that the company has multiple reporting venues to make the process easy.
“Customers often email and phone suspicious emails into our call center,” he says. “Additionally, we offer a front of site form where customers can report.
“Those emails are forwarded to security for analysis and we respond through our customer care organization with next steps.”
Redfoot also points to a recent post that offers guidance for avoiding scams during the holiday season.
- Short-Term Deals – If an email offers a good deal, don’t click any links. Check the company’s website home page. That product should be easy to find on their website if it’s the real deal.
- Too Good to be True – If it sounds too good to be true, it probably is. Do a Google search for the offer, and see what others are saying about it. You might quickly find that it’s a scam.
- Traffic Citations – Our government does not use email for traffic violations. Look for officially signed and sealed documents in your home mailbox, as well as photos of the infraction. Everything else, delete.
And all the usual cautions about screening email apply.
- Check the URL by rolling your mouse over the link (DO NOT CLICK) and compare it to the email address. If they don’t match, hit delete immediately.
- Don’t open email from someone you don’t know.
- Don’t open attachments you aren’t expecting to receive.
- Even if you get an email from someone you know with an attachment, check the email address of the sender to see if it’s familiar – if that address isn’t in your contacts, delete it.
- Stay away from junk (or bulk) mail. Any email that lands in this folder is probably there for a good reason. Most can be purged immediately.
- Avoid junk (or bulk) mail. Any email that lands in a junk or spam folder is likely there for a good reason. Delete without opening
Also look for things such as a generic greeting (“Hello”), and the request for personal information is always a red flag. If you think a company or a friend actually needs some information, it’s best just to give them a call. It takes a little bit longer, but it’s still less time than dealing with the consequences of identity theft or canceling credit card accounts.