Phishing scams asking for a password reset due to the recent "heartbleed" vulnerability.
The recent heartbleed vulnerability has attracted a large amount of mass media coverage.
Scammers, using this as an opportunity to undertake phishing scams, are sending fake ‘password reset’ emails to lure you into installing malware or revealing your password.
You should expect to receive legitimate notification emails about ‘heartbleed’; however, you should also be cautious about responding to, or clicking links in emails.
More information about how to change your password is provided below.
BRIEF OVERVIEW ON HEARTBLEED -for more info see previous post.
The heartbleed vulnerability essentially causes online servers to ‘leak’ information, and many websites have been affected. Investigations are continuing to examine what other services and technologies are also affected, and what might be required to address them.
With the issue still unfolding, the advice you might find online about heartbleed can vary.
At present, administrators of sites and services known to be affected should be addressing this issue first, before notifying users to change their passwords.
Unfortunately, scammers are also using this as an opportunity to target users with phishing messages.
You should be cautious about how you respond to these emails asking for password resets.
Suggestion about when to change your password for heartbleed
It is important to understand that until the heartbleed flaw has been fixed, the website or service remains vulnerable. Changing your password in the meantime can help to an extent, but only for passwords that may have been leaked up to that point. Information can still be leaked after you’ve changed your password, until the flaw is fixed.
Once the issue is fixed, you should change your password.
Affected websites and services can be expected to contact their users only after they have updated their systems.
However, there is no guarantee that they will, and there is no requirement for them to do so.
If you are concerned try emailing the website or server for an update on how they are affected, if that is possible.
When you Change your password some points to consider
Over the coming days it is likely that you will receive a number of emails advising you to change your password.
When you receive a notification message, the safest way to change your password is to visit the website independently of any links that may be contained in the email:
Browse to the website by entering the address into your web browser. Do not click links in the email.
Find the option on the website for changing your password. This is often in ‘security settings’ or ‘account settings’.
Change your password.
If you are using the same password on other sites, you should change those as well. We recommend using a unique password for each site to ensure a stolen password from one site does not work on other sites as well.
Suggestion for spotting phishing emails
Phishing emails can be hard to differentiate from legitimate requests. It is often easy for a scammer to copy text and images from a legitimate email, making the scam look exactly like real emails.
Phishing emails can often contain incorrect spelling, poor language, bad grammar and sentence construction and low quality images; however, these features should not be relied upon, as the quality of some phishing emails can be very high.
To spot a phishing email, you need to check that the links in the email do send you to the correct website. This can be difficult, as these addresses can be complex. As described above, it is safer to browse to the website directly, rather than clicking a link in an email.
Sometime by looking at the sending address you may also find some discrepancies e.g an address not associated with the company it purports to come from.
The basic rule is safety first.
