h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

When I took my current job, about 3.5 years ago, phishing was taboo. If someone had managed to hack into your e-mail and cause havoc, then it was all kept very quiet. The victims often included people at board level, and it was important not to embarrass them, or to panic shareholders, say, to the fact that highly confidential data may have been at risk.

The IT teams who recovered the situation worked within a cloak of secrecy - it was entrusted to only the most senior support personnel. They would update the company firewall software to block any dodgy websites linked in the phishing e-mail. They would look to see which users had accessed those sites, then change their passwords. They would delete (or quarantine) the e-mail itself from users In-boxes.

In more serious circumstances, there would be viruses involved - malware installed on people’s PCs which could replicate itself through the company network. People would need to run virus scanners, and often other tools to remove any malware found.

But it was all kept very quiet so as not to panic people, to provoke inquisitiveness, or cause embarrassment. This changed maybe a year ago when the company decided they needed to confront the problem head-on. They appointed a Director of Cyber Security, who organised a campaign of information to help people avoid these attacks. They introduced things like 2-factor authentication (linking your e-mail to your mobile phone for SMS password notifications). They also bombarded people with information on the problem - posters, seminars, leaflets.


Phishing hackers want your password, so they can get hold of your data. They do this through carefully crafted unsolicited e-mails, so it’s important to be able to spot these - they can look surprisingly genuine. Things you might be suspicious of are the sender name and e-mail address, the subject line (which may be urging you to read something), the general quality and style of the e-mail, and the fact that the mail will contain a link or attachment.

You can check links by hovering your mouse over them without clicking - the link's destination address may be shown at the foot of the screen or in a pop-up, depending on your operating system. Is the address of this link legitimate and relevant? Is an attachment relevant? If not, then obviously don’t click anything. Just delete the e-mail. If it was genuine and important, they’ll contact you another way - it’s only an e-mail after all.

Perhaps the best defence is to cultivate a natural mistrust of unsolicited e-mail. Phishing e-mails have graduated beyond the Nigerian princes, but they may tell you to check if you’ve won a prize, or to check an unpaid invoice, or a delivery note - all things which will fool a few of the people some of the time. Just don’t let it be you.

"Perhaps the best defence is to cultivate a natural mistrust of unsolicited e-mail" [Icy North]

Mistrust of e-mail comes naturally to many of us, especially when there is so much of it. Who has time to read the barrels of spam that arrive daily?


[Well, spam doesn't actually come in barrels.....]

The fact that there's so much of it makes it more of a danger - we have no time to read them and make a good decision every time.

I was caught out by one. I just clicked on the link after a marathon session reading through around 1,000 e-mails after I'd come back to work after being off sick. I got a nasty note telling me that it had been planted by the Cyber Security Director to see who was susceptible to phishing - I was livid! It was a really obvious plant - I was just exhausted.

But I got my own back when I saw another dodgy one the other week and forwarded it to his 'reporting spam' account without opening it. I got a lovely reply telling me how wonderful I was now I'd passed his test.

Hook, line, and stinker .

Yes, I've noticed some cunning e-mails recently, such as ones that look to be from acquaintances, asking for help, but they ask you to click a link e-mail address to reply to them, and there is a slight difference in the e-mail address so someone else would receive your details.

We also get a lot of e-mails pretending to have invoices attached, that could, and indeed do, catch people out if they're just in a routine of processing transactions and don't spot the subtle warning signs...

My company receives something like 50 million e-mails a year. We have a program which deletes 95% of them automatically because they are either spam or scam.

Did you write that program, G?

No. I fix mistakes in other people's programs generally rather than writing them myself.

So whilst I have your attention what's the best anti virus for laptops in your opinion
Norton
Macafee
Panda
Or is there any better
thank you in advance

[Amy P]

I've only ever used Norton. People tell me it's not as good as the others, and it's certainly not cheap, but I haven't had a virus since I started using it 20 or so years ago.

But then you don't respond to phishy mails.

I also use Norton. It can slow down your machine a lot so it is best to have a new, fast computer. I also have never got a virus.

Norton changes all suspicious links in phishing emails so that they don't work, making it difficult to open the accidentally.