What do you think a fishing attack looks like?
你觉得钓鱼攻击是什么样的?
This? Or this?
这样? 还是这样?
Maybe… this?
还是......这样?
Ugh, not quite.
啊,都不是。
In this instance, we're spelling "fishing" with a PH, and it's one of the most common online scams around.
我们这里说的是phishing,这是一种最常见的网络诈骗形式。
So what is it?
它到底是怎么样的呢?
Say you receive an email from your bank.
比如说,你收到一封银行发给你的邮件。
They're asking you to log in to your account and update your details - they've even provided a handy link that will take you straight to the relevant page. Great. Except, that email isn't from your bank. . .
他们要求你登录账户并更新资料——他们给你提供了一个链接,点进去就会直接跳转相关页面。很好。除了给你发邮件的不是银行......
It's from me.
而是我。
And I've set up a very convincing website that looks just like your bank's site.
我创建了一个几乎和银行网址一模一样的网页。
So when you click my link and follow the bank's instructions, what you're actually doing is giving me all your login information, and whatever personal or banking data I've asked for.
所以,如果你点击了链接并根据提示照做的话,你其实是在告诉我登录信息,以及个人或银行数据。
Thanks!
真是太感谢了!
These kinds of emails have become commonplace in recent years, to the point that they're a bit of a joke.
这类电子邮件近年来已经司空见惯,甚至我们都把它当笑话来讲。
We've all laughed at the "Nigerian Prince wants to send me his fortune" email.
我们都嘲笑过写着“尼日利亚王子想给我钱”的电子邮件。
"It's so obviously a scam!
“这很明显就是个诈骗!
How does anyone fall for it?" Well firstly - if it didn't work at least some of the time, no one would do it.
怎么会有人相信呢?” 首先,如果这种手段从来没有成功过,那就没人会去做了。
But secondly, by making you believe that all phishing emails are that obvious, those scammers have lulled you into a false sense of security, meaning you're much less likely to spot a better-executed attempt.
其次,骗子试图让你相信所有的网络钓鱼邮件都是那么蹩脚,好让你产生一种虚假的安全感,这样你就不太可能识别更高端的诈骗手段。
In a 2015 study, 97% of people were unable to identify sophisticated phishing emails.
2015年的一项研究发现,97%的人都无法识别周密的诈骗邮件。
How many of those people thought they were too smart to be fooled?
这里面有多少人觉得自己很聪明,不可能别骗的?
Part of the problem is that many people don't realise how personalised phishing can be.
一部分原因是很多人没有意识到现在的网络诈骗可以做到非常个人化。
Targeted attacks are called 'spear phishing' and they're geared towards you.
有针对性的诈骗又叫“鱼叉式网络钓鱼”。
Usually the "phishers" will have some prior information on you, taken from social media or online public records.
通常来说,诈骗者会提前通过社交媒体或者网络公开记录获取你的信息。
They use this to tailor an email which seems too specific to be a generic scam, and so is far more believable, and likely to yield results.
他们利用这些信息来为你“订制”一封邮件,这种邮件内容详细具体,看起来不像是一般的诈骗,所以更加可信,成功率更高。
And scammers know this - in a review of over half a million mailboxes, it was found that 77% of spear-phishing attacks targeted ten people or less.
骗子们很清楚这一点——一项对50多万个邮箱的审查发现77%的鱼叉式网络钓鱼的目标是10人或以下。
More alarmingly 33% targeted just one.
更可怕的是,33%的诈骗邮件只针对一人。
So what does one of these look like?
那么这类邮件长什么样呢?
Well, say your colleague has gone on holiday to Mexico.
比如,你的同事去墨西哥度假。
You know he's in Mexico because you saw him check into the airport on Facebook.
你知道他在墨西哥,因为他在脸书上发了在机场的照片。
A few days later, he sends you an email: He's really sorry to reach out - his phone, wallet, and passport have been stolen, but fortunately he remembered your email address.
几天后,他给你发邮件:他很需要你的帮助——他的手机,钱包,护照全被偷了,所幸还记得你的邮箱地址。
Could you possibly wire him some money, using this link?
你能不能通过这个链接给他汇点钱?
Obviously he'll pay you back, he's just in a bit of a tight spot and needs to pay the consulate for his new passport.
他当然会还钱的,他只是现在情况有点紧急,需要向领事馆支付新护照的费用。
None of this is particularly far-fetched or difficult to believe.
邮件内容一点都不牵强,或是很难相信。
But all the same, it's not true - this is a spear-phishing attempt.
但同样的,这都是假的——这是一个鱼叉式网络钓鱼。
Your colleague's Facebook privacy settings are wide open, so his airport check-in was visible to the whole world - including our scammer - who only needed five minutes to google your colleague's workplace, find you and your email address, and then fire off a compelling sob-story.
你同事的脸书是完全开放的,所以全世界都能看到他在机场登机的照片——包括诈骗犯——他只需要花5分钟来搜索你同事的工作地址,然后找到你和你的邮箱地址,再给你发送这个悲惨事件。
But it doesn't even need to be that specific - how many people are going to question a Google Calendar meeting invitation from their boss?
它甚至不需要那么具体——有多少人会质疑老板的会议邀请?
Just click here to RSVP, sign into "Google", and as easy as that, you've given away your login details.
点击此处,登录“谷歌”,你的登录信息就完全泄露了。
So, aside from ignoring emergency emails from your friends, and deleting anything your boss sends you without opening it, what can you do to stay safe?
所以,除了忽略朋友的紧急电子邮件,删除老板发给你的任何东西,你还能做些什么来保证安全呢?
Firstly, when you get an email, check - really check - that it is what it says it is.
首先,收到邮件时,核查,仔细核查。
Secondly, never click any links provided.
其次,不要打开别人给你发的链接。
If someone wants you to log in, go to their website independently and log in from there.
如果别人想让你登录,那么先进入官方网页,去那里登录。
If you're still unsure, find a legitimate number and call the company involved to ask about the e-mail.
如果你仍然不确定,致电相关公司询问有关电子邮件的情况。
Customer security is a big deal and they won't be fazed by being asked questions like this.
客户安全是一件大事,他们不会对这样的问题感到困扰。
Thirdly, if you absolutely have to follow a link, triple check the URL of the website that you've been sent to, and make sure it matches up with where you login normally.
第三,如果你必须要点开链接,务必再三检查网站的统一资源定位地址,确保它和你平常登录的网址一致。
Just seeing a padlock is not enough.
光看网页上的挂锁符号是不够的。
There are all kinds of tricks to fool even those with a deep understanding of URL schemas, so you need to exercise extreme caution.
即使是那些对URL模式有深入了解的人,也有各种各样的花招愚弄他们,因此需要格外小心。
Phishing attacks are called that for a reason - a lot of the time, those behind them are just throwing out a line and seeing who bites.
这种诈骗手段被称作“钓鱼”是有原因的——很多时候,诈骗者只是放出“一条线”,等着看谁会上钩。
But by being aware of how these kinds of scams operate and exercising vigilance, you're making it far less likely that you'll be the one to take the bait.
但通过了解这些骗局的运作方式并保持警惕,你就大大降低了上钩的可能性。
用户评论