保護(hù)您的賬戶免受網(wǎng)絡(luò)釣魚攻擊

網(wǎng)絡(luò)釣魚一詞指涉及虛假網(wǎng)站和電子郵件或其他消息的身份盜竊詐騙。網(wǎng)絡(luò)釣魚攻擊的目的是獲取您的賬戶和敏感信息的訪問(wèn)權(quán)限。攻擊者可能模仿聲譽(yù)良好的網(wǎng)站來(lái)創(chuàng)建自己的網(wǎng)站，或向您發(fā)送似乎來(lái)自可靠來(lái)源的消息。網(wǎng)絡(luò)釣魚消息可能來(lái)自虛假賬戶或已被黑客攻擊的賬戶。

備注：如果您認(rèn)為自己通過(guò)可疑渠道共享了個(gè)人信息，并且您的信息和身份面臨風(fēng)險(xiǎn)，請(qǐng)遵循政府指南執(zhí)行操作。

網(wǎng)絡(luò)可能會(huì)要求您完成以下任務(wù)：

• 訪問(wèn)鏈接。

• 下載文件。

• 打開(kāi)附件。

惡意軟件 — 蠕蟲、木馬程序、僵尸程序和病毒等惡意軟件 — 會(huì)在您執(zhí)行任何以上操作時(shí)感染您的計(jì)算機(jī)或移動(dòng)設(shè)備。感染設(shè)備后，入侵者便可以訪問(wèn)您的個(gè)人信息。

網(wǎng)絡(luò)釣魚詐騙可能還包括直接請(qǐng)求個(gè)人信息（如銀行賬戶憑據(jù)）。

網(wǎng)絡(luò)釣魚詐騙可能會(huì)要求您提供以下個(gè)人信息：

• 通過(guò)電子郵件或其他消息傳送系統(tǒng)。

• 通過(guò)表格。

• 欺詐性的電話號(hào)碼。

• 通過(guò)偽造的真實(shí)地址。

即使要求您輸入電子郵件地址和重置密碼也可能是危險(xiǎn)的。

備注：將您收到的任何網(wǎng)絡(luò)釣魚郵件轉(zhuǎn)發(fā)至 的安全收件箱，地址為 safety@shopify.com。通過(guò)建立商家所受攻擊的記錄，Shopify 可以更好地保護(hù)您和您的信息。

認(rèn)識(shí)警告標(biāo)志

您可以通過(guò)了解警告標(biāo)志來(lái)防范網(wǎng)絡(luò)釣魚。無(wú)論顯示的發(fā)件人是誰(shuí)，都要仔細(xì)閱讀郵件；無(wú)論網(wǎng)站看起來(lái)多么熟悉，都要仔細(xì)檢查。

過(guò)于籠統(tǒng)的語(yǔ)言

雖然網(wǎng)絡(luò)釣魚可能經(jīng)過(guò)深入研究并針對(duì)您和您的企業(yè)進(jìn)行定制，但籠統(tǒng)的語(yǔ)言是網(wǎng)絡(luò)釣魚詐騙的標(biāo)志。如果郵件看似來(lái)自您信任的組織但是以模糊的語(yǔ)句開(kāi)頭，比如尊敬的賬戶持有者，請(qǐng)保持警惕。

同樣，假如某封郵件向您承諾有千載難逢的商業(yè)或財(cái)政機(jī)會(huì)，但卻未提供足夠的詳細(xì)信息讓您能夠確認(rèn)發(fā)送者認(rèn)識(shí)您，那么這也可能是詐騙：

我是 Frederick，一名銀行家。請(qǐng)盡快就可能已故親屬的遺產(chǎn)與我聯(lián)系。我無(wú)法通過(guò)短信分享太多信息。請(qǐng)通過(guò)以下地址給我發(fā)送電子郵件。

個(gè)人賬戶中的商業(yè)信息

豐富的攻擊者可以通過(guò)您的在線業(yè)務(wù)收集充足的信息，從而創(chuàng)建看似來(lái)自真實(shí)聯(lián)系人的郵件：

批發(fā)價(jià)格更新

您好，Georgia，我想向您提供最新資訊。這是我們當(dāng)前批發(fā)價(jià)格的電子表格：fabric-prices-2016-oct.xls

希望您對(duì)上一批襯衫滿意!如果您有任何問(wèn)題或疑慮，請(qǐng)與我們聯(lián)系。

--

Julia Chan

客戶經(jīng)理

示例形式

為發(fā)送攻擊，他們會(huì)侵入您的聯(lián)系人的企業(yè)賬戶或創(chuàng)建虛假的個(gè)人賬戶。例如，如果您的聯(lián)系人 Julia 的個(gè)人電子郵件用戶名為 juliachan3857，攻擊者可能會(huì)使用用戶名為 juliachan9665 的賬戶發(fā)送電子郵件。這種攻擊形式依賴于兩方面的因素：

• 人們會(huì)不小心用錯(cuò)誤的賬戶發(fā)送電子郵件。

• 即使您知道 Julia 的個(gè)人電子郵件地址，但您也許不會(huì)仔細(xì)查看。

拼寫錯(cuò)誤、語(yǔ)法錯(cuò)誤、樣式多變

犯罪分子并不像專業(yè)的網(wǎng)絡(luò)內(nèi)容撰稿人那樣認(rèn)真對(duì)待內(nèi)容風(fēng)格指南。除了拼寫錯(cuò)誤和語(yǔ)法錯(cuò)誤，在一個(gè)頁(yè)面中出現(xiàn)以下類別的變化形式也可能表明是欺詐網(wǎng)站：

• 拼寫。

• 大寫。

• 編號(hào)。

• 標(biāo)點(diǎn)。

• 格式。

危言聳聽(tīng)或過(guò)于激動(dòng)的語(yǔ)氣

當(dāng)心時(shí)間緊急的請(qǐng)求，這些請(qǐng)求企圖通過(guò)威嚇使您不假思索地采取行動(dòng)。例如，Shopify 不會(huì)向您發(fā)送包含以下內(nèi)容的消息：

我們遇到了異常嚴(yán)重的服務(wù)器故障。在 24 小時(shí)內(nèi)回復(fù)您的用戶名和密碼，否則您將永久無(wú)法訪問(wèn)您的商店。

同樣，注意那些看起來(lái)好得令人難以置信的優(yōu)惠信息，例如只有您立即參加才能獲得旅游公司 90% 的折扣。

看起來(lái)不正確的 URL

網(wǎng)絡(luò)釣魚嘗試可能包含看起來(lái)合法的 URL，不仔細(xì)查看將無(wú)法發(fā)現(xiàn)。許多網(wǎng)絡(luò)釣魚嘗試使用故意選擇的 URL，它們類似于您熟悉的 URL。如下表所示，如果您通常通過(guò)合法 URL 從 Example Apparel 購(gòu)買游泳衣，并且您收到一封帶有虛假 URL 鏈接的電子郵件，您便可分辨出這是一次網(wǎng)絡(luò)釣魚嘗試。

真實(shí)的 URL 會(huì)將您引導(dǎo)至屬于 Example Apparel 的域名 example-apparel.com 中的網(wǎng)站，而虛假 URL 會(huì)將您引導(dǎo)至可能為犯罪分子所有的域名 com-aquatic.net 中的惡意網(wǎng)站。

使用其他溝通方式提出疑慮

親自對(duì)話或通過(guò)電話與可能發(fā)送可疑信息的人交談，并通過(guò)與組織中的某人交談來(lái)解決對(duì)網(wǎng)頁(yè)的擔(dān)憂。

如果您通過(guò)電話聯(lián)系發(fā)件人，請(qǐng)撥打已存檔的號(hào)碼或出現(xiàn)在多個(gè)信譽(yù)良好的在線來(lái)源上的號(hào)碼。例如，如果您通過(guò)電子郵件收到來(lái)自稅務(wù)代理機(jī)構(gòu)的可疑信息請(qǐng)求，請(qǐng)撥打去年納稅申報(bào)表上的電話號(hào)碼。請(qǐng)勿撥打可疑網(wǎng)站或電子郵件中顯示的號(hào)碼。

The term phishing describes identity theft scams involving phony websites and emails or other messages. The goal of a phishing attack is to gain access to your account and sensitive information. An attacker can create their own website that mimics a reputable one or send you a message that seems to come from a trusted source. Phishing messages can come from a fake account or an account that has been hacked.

mises an important business or financial opportunity but doesn't include enough detail for you to confirm that the sender knows you, then it might be a scam:

I am Frederick, a banker. Pls contact me asap regarding a possible late relative's inheritance. Can't share much via sms. Email me at the address below.

Business messages from personal accounts

Sophisticated attackers can gather enough information from your online presence to create a message that could plausibly come from a real contact:

Wholesale Pricing Update

Hi Georgia, I just wanted to update you. Here is a spreadsheet of our current wholesale prices: fabric-prices-2016-oct.xls

I hope you were satisfied with the last batch of shirts! Please let me know if you have any questions or concerns.

--

Julia Chan

Account Manager

Example Fabrics

To send an attack, they can hack into your contact's business account or create a phony personal account. For example, if the username for your contact Julia's personal email is juliachan3857, then an attacker might send an email from an account with the username juliachan9665. This form of attack depends on two tors:

• People send emails from the wrong account by mistake.

• Even if you know Julia's personal email address, then you might not look too closely.

Misspellings, poor grammar, and style variations

Criminals don't take content style guides as seriously as professional web content writers. As well as typos and grammar errors, variations in the following categories within a single page can show that a website is fraudulent:

• spelling.

• capitalization.

• numbers.

• punctuation.

• formatting.

Alarmist or overexcited tone

Watch for time-sensitive requests that try to scare you into acting without thinking. For example, Shopify won't send you a message saying:

We've had a catastrophic server failure. Respond with your username and password in the next 24 hours or you'll lose access to your store permanently.

Similarly, watch for messages making offers that seem too good to be true, such as a 90% discount from a travel company available only if you act now.

URLs that don’t look right

Phishing attempts can include URLs that appear legitimate if you don't look too closely. Many phishing attempts use URLs that have been deliberately chosen to resemble a URL that you're already familiar with. As shown in the table below, if you normally buy swimming attire from Example Apparel at the legitimate URL and you receive an email with a link to the fake URL, then you can tell that it's a phishing attempt.

The real URL directs you to a site at the domain example-apparel.com, which is owned by Example Apparel, and the phony URL directs you to a malicious site at the domain com-aquatic.net, which is likely owned by criminals.

Raise concerns using another mode of communication

Speak to the supposed sender of a suspicious message in person or over the phone and resolve concerns about a webpage by talking to someone at the organization.

If you contact the sender by phone, then use a number you have on file or that appears on multiple reputable online sources. For example, if you receive a suspicious request for information from your tax agency by email, then call the agency at the number on last year's tax return. Don't call a number that appears on a suspicious website or email.

特別聲明：以上文章內(nèi)容僅代表作者本人觀點(diǎn)，不代表ESG跨境電商觀點(diǎn)或立場(chǎng)。如有關(guān)于作品內(nèi)容、版權(quán)或其它問(wèn)題請(qǐng)于作品發(fā)表后的30日內(nèi)與ESG跨境電商聯(lián)系。