Shopify賬戶保護和防范

2022-03-28

865

網絡釣魚一詞指涉及虛假網站和電子郵件或其他消息的身份盜竊詐騙。網絡釣魚攻擊的目的是獲取您的賬戶和敏感信息的訪問權限。攻擊者可能模仿聲譽良好的網站來創建自己的網站，或向您發送似乎來自可靠來源的消息。網絡釣魚消息可能來自虛假賬戶或已被黑客攻擊的賬戶。

保護您的賬戶免受網絡釣魚攻擊

網絡釣魚一詞指涉及虛假網站和電子郵件或其他消息的身份盜竊詐騙。網絡釣魚攻擊的目的是獲取您的賬戶和敏感信息的訪問權限。攻擊者可能模仿聲譽良好的網站來創建自己的網站，或向您發送似乎來自可靠來源的消息。網絡釣魚消息可能來自虛假賬戶或已被黑客攻擊的賬戶。

備注：如果您認為自己通過可疑渠道共享了個人信息，并且您的信息和身份面臨風險，請遵循政府指南執行操作。

網絡可能會要求您完成以下任務：

訪問鏈接。
下載文件。
打開附件。

惡意軟件 — 蠕蟲、木馬程序、僵尸程序和病毒等惡意軟件 — 會在您執行任何以上操作時感染您的計算機或移動設備。感染設備后，入侵者便可以訪問您的個人信息。

網絡釣魚詐騙可能還包括直接請求個人信息（如銀行賬戶憑據）。

網絡釣魚詐騙可能會要求您提供以下個人信息：

通過電子郵件或其他消息傳送系統。
通過表格。
欺詐性的電話號碼。
通過偽造的真實地址。

即使要求您輸入電子郵件地址和重置密碼也可能是危險的。

備注：將您收到的任何網絡釣魚郵件轉發至的安全收件箱，地址為 safety@shopify.com。通過建立商家所受攻擊的記錄，Shopify 可以更好地保護您和您的信息。

認識警告標志

您可以通過了解警告標志來防范網絡釣魚。無論顯示的發件人是誰，都要仔細閱讀郵件；無論網站看起來多么熟悉，都要仔細檢查。

過于籠統的語言

雖然網絡釣魚可能經過深入研究并針對您和您的企業進行定制，但籠統的語言是網絡釣魚詐騙的標志。如果郵件看似來自您信任的組織但是以模糊的語句開頭，比如尊敬的賬戶持有者，請保持警惕。

同樣，假如某封郵件向您承諾有千載難逢的商業或財政機會，但卻未提供足夠的詳細信息讓您能夠確認發送者認識您，那么這也可能是詐騙：

我是 Frederick，一名銀行家。請盡快就可能已故親屬的遺產與我聯系。我無法通過短信分享太多信息。請通過以下地址給我發送電子郵件。

個人賬戶中的商業信息

豐富的攻擊者可以通過您的在線業務收集充足的信息，從而創建看似來自真實聯系人的郵件：

批發價格更新

您好，Georgia，我想向您提供最新資訊。這是我們當前批發價格的電子表格：fabric-prices-2016-oct.xls

希望您對上一批襯衫滿意!如果您有任何問題或疑慮，請與我們聯系。

Julia Chan

客戶經理

示例形式

為發送攻擊，他們會侵入您的聯系人的企業賬戶或創建虛假的個人賬戶。例如，如果您的聯系人 Julia 的個人電子郵件用戶名為 juliachan3857，攻擊者可能會使用用戶名為 juliachan9665 的賬戶發送電子郵件。這種攻擊形式依賴于兩方面的因素：

人們會不小心用錯誤的賬戶發送電子郵件。
即使您知道 Julia 的個人電子郵件地址，但您也許不會仔細查看。

拼寫錯誤、語法錯誤、樣式多變

犯罪分子并不像專業的網絡內容撰稿人那樣認真對待內容風格指南。除了拼寫錯誤和語法錯誤，在一個頁面中出現以下類別的變化形式也可能表明是欺詐網站：

拼寫。
大寫。
編號。
標點。
格式。

危言聳聽或過于激動的語氣

當心時間緊急的請求，這些請求企圖通過威嚇使您不假思索地采取行動。例如，Shopify 不會向您發送包含以下內容的消息：

我們遇到了異常嚴重的服務器故障。在 24 小時內回復您的用戶名和密碼，否則您將永久無法訪問您的商店。

同樣，注意那些看起來好得令人難以置信的優惠信息，例如只有您立即參加才能獲得旅游公司 90% 的折扣。

看起來不正確的 URL

網絡釣魚嘗試可能包含看起來合法的 URL，不仔細查看將無法發現。許多網絡釣魚嘗試使用故意選擇的 URL，它們類似于您熟悉的 URL。如下表所示，如果您通常通過合法 URL 從 Example Apparel 購買游泳衣，并且您收到一封帶有虛假 URL 鏈接的電子郵件，您便可分辨出這是一次網絡釣魚嘗試。

真實的 URL 會將您引導至屬于 Example Apparel 的域名 example-apparel.com 中的網站，而虛假 URL 會將您引導至可能為犯罪分子所有的域名 com-aquatic.net 中的惡意網站。

使用其他溝通方式提出疑慮

親自對話或通過電話與可能發送可疑信息的人交談，并通過與組織中的某人交談來解決對網頁的擔憂。

如果您通過電話聯系發件人，請撥打已存檔的號碼或出現在多個信譽良好的在線來源上的號碼。例如，如果您通過電子郵件收到來自稅務代理機構的可疑信息請求，請撥打去年納稅申報表上的電話號碼。請勿撥打可疑網站或電子郵件中顯示的號碼。

The term phishing describes identity theft scams involving phony websites and emails or other messages. The goal of a phishing attack is to gain access to your account and sensitive information. An attacker can create their own website that mimics a reputable one or send you a message that seems to come from a trusted source. Phishing messages can come from a fake account or an account that has been hacked.
mises an important business or financial opportunity but doesn't include enough detail for you to confirm that the sender knows you, then it might be a scam:
I am Frederick, a banker. Pls contact me asap regarding a possible late relative's inheritance. Can't share much via sms. Email me at the address below.
Business messages from personal accounts
Sophisticated attackers can gather enough information from your online presence to create a message that could plausibly come from a real contact:
Wholesale Pricing Update
Hi Georgia, I just wanted to update you. Here is a spreadsheet of our current wholesale prices: fabric-prices-2016-oct.xls
I hope you were satisfied with the last batch of shirts! Please let me know if you have any questions or concerns.
--
Julia Chan
Account Manager
Example Fabrics
To send an attack, they can hack into your contact's business account or create a phony personal account. For example, if the username for your contact Julia's personal email is juliachan3857, then an attacker might send an email from an account with the username juliachan9665. This form of attack depends on two tors:
People send emails from the wrong account by mistake.
Even if you know Julia's personal email address, then you might not look too closely.
Misspellings, poor grammar, and style variations
Criminals don't take content style guides as seriously as professional web content writers. As well as typos and grammar errors, variations in the following categories within a single page can show that a website is fraudulent:
spelling.
capitalization.
numbers.
punctuation.
formatting.
Alarmist or overexcited tone
Watch for time-sensitive requests that try to scare you into acting without thinking. For example, Shopify won't send you a message saying:
We've had a catastrophic server failure. Respond with your username and password in the next 24 hours or you'll lose access to your store permanently.
Similarly, watch for messages making offers that seem too good to be true, such as a 90% discount from a travel company available only if you act now.
URLs that don’t look right
Phishing attempts can include URLs that appear legitimate if you don't look too closely. Many phishing attempts use URLs that have been deliberately chosen to resemble a URL that you're already familiar with. As shown in the table below, if you normally buy swimming attire from Example Apparel at the legitimate URL and you receive an email with a link to the fake URL, then you can tell that it's a phishing attempt.
The real URL directs you to a site at the domain example-apparel.com, which is owned by Example Apparel, and the phony URL directs you to a malicious site at the domain com-aquatic.net, which is likely owned by criminals.
Raise concerns using another mode of communication
Speak to the supposed sender of a suspicious message in person or over the phone and resolve concerns about a webpage by talking to someone at the organization.
If you contact the sender by phone, then use a number you have on file or that appears on multiple reputable online sources. For example, if you receive a suspicious request for information from your tax agency by email, then call the agency at the number on last year's tax return. Don't call a number that appears on a suspicious website or email.