• Home
• Articles
• Products
• Services
• Resources
• Contact

---

Books

Phishing: Cutting the Identity Theft Line
by Rachael Lininger

---

Phishing Exposed
by Lance James

---

Software

Norton Systemworks 2006 and Norton Personal Firewall 2006 Canadian Bundle
from Symantec

---

McAfee Internet Security 2006 Protection Pack - 3 User
from Mcafee

---

Phishing Scams 101

Phishing = Fishing for Information

• Phishing is a form of Social Engineering.
• Phishing is also known as spoofing, or hoaxing.
• Phishers use direct messaging, email, or popups.
• Phishers may claim to be, but aren't really, from a business or organization that you might deal with (such as ISPs, banks, online payment services and government agencies).
• Phishers may also claim to be from an organization that you have never had an association with.
• Phishing is a numbers game; these mass spammers hope to connect with a percentage of recipients.
• Spear phishing is a more direct, targeted form of phishing. It may claim to be from the well respected head of your company or university I.T. or H.R. department and sound very convincing. Don't bite.
• Phishers may ask you to update, validate, or confirm your account information. They usually say it is urgent, with dire consequences if you ignore it.
• Phishers might try to send you to a website that looks just like a legitimate organization's site, but isn't.

The Phisher's Catch
The Bait
Spot the Phisher
Catch the Phisher

Internet Phishing - The Catch

Victims are lured to fake but legitimate-looking websites, under the pretense of updating their personal or account information. The goal of this is twofold:

1. To try to get the victim to disclose sensitive personal information such as:
   • passwords (see Secure Your Passwords and Passwords in Email)
   • bank account information
   • credit card numbers
   • personal vital information
2. To download a virus, which can, without your knowledge:
   • steal personal and other information that is stored on your computer
   • install key loggers and other spyware, to monitor you
   • destroy your data
   • disable your computer
   • use your computer to send massive amounts of spam email

These may be identity theft attacks. Identity thieves can rack up bills and commit crimes -- in your name. The resulting damages of identity fraud can be financially devastating and your privacy could be seriously compromised. The best defense from identity theft fraud is to recognize phishing attacks (online and off), do not respond, and report them.

Online Phishing - The Bait

Phishers use emails, instant messages, or popups, that look like they are from an official trusted source, but really contain linkages to malicious sites.

Spot the Phisher and Do Not Bite

Be skeptical, be suspicious, and if you are not sure, always contact the company being impersonated directly and immediately!

If you get an email claiming to be from a reputable business but asking for private information:

• Do not reply to the email.
• Do not submit personal information.
• Do not click on any links contained in the email. Check the links without clicking.
• Help law enforcement catch the phisher.
• Delete the email.
• Before submitting information on any website, always verify the security certificate.

Recognize And Prevent Phishing In Email

Greeting

The greeting line of a phishing email is typically generic, such as "Dear (Company) Member". Legitimate emails are usually personalized, such as "Dear Isaac Newton". If you have done business with the real company, they know your name. But beware, a phisher may have found your real name by some other means.

The Sender's Email Address

The sender's email address is not a good indicator of the origin of an email. Phishers typically (and easily) forge this field.

Tone

Phishers ask you to update, validate, or confirm your information, often with a false sense of urgency and dire consequences if you ignore it.

• "We are updating our accounts and need information fast."
• "An unauthorized transaction has recently occurred on your account."
• "You may lose your account if you don't update your information."
• "Please click here to verify your information."

Legitimate companies will usually ask you to call them at a verifiable phone number or ask you to login to their website independently of the email.

Links and URL's -- Always check before you click.

Phishers use deception to try to give the appearance of legitimacy. Look carefully at the link. Forms of trickery include:

• "@" in the URL (link), probably near the end

  Your browser might ignore all characters preceding the @ symbol in determining the actual web address; the real web address follows the @, which may be hidden at the end of a very long URL.

  http://www.company.com:crafty... ...long... ...string@www.scammer.com

  You see the company.com part. This URL really goes to www.scammer.com, which you can't see because the URL string is so long it goes out of the display. Check the URLs without clicking.

• letter-number substitutions, such as letter O, number 0 or letter l, number 1.
• company name compounded with some other word, such as http://companytrustme.com. Just because it has the company name in it does not mean it is from that company.

Legitimate companies use secure domain names (such as https://www.company.com) whenever sensitive information must be transfered. Never log into a company through a link in an email unless you are expecting a verification notice and you are sure it is from that company. Before submitting any information on a website, always verify the security certificate first.

Clicking on a fraudulent link can net the Phisher his catch, and you and your computer are the phish.

Emails that Look Like Websites

Phishing emails may look like websites and try to get you to enter your personal information. Legitimate companies will never ask you to enter personal information in an email.

Style of Writing

Phishers often use poor spelling, bad grammar, missing words and logic gaps, in an attempt to get around spam filters. Legitimate businesses use proper business communication, and while they may not be perfect, the writing is generally far superior to that found in phishing emails.

Connection Security

When you enter information in a web session, make sure "https://" (a secure connection) begins the URL. Be sure to verify the security certificate. This is not foolproof. Some phishers have forged security icons.

Pop-up Boxes

Legitimate companies do not (or should not) use popups in email, as popups may not be secure

Attachments

Attachments in phishing emails are very dangerous; they may be virus- or spyware-laden. Do not open these and delete them immediately after reporting the scam.

Above all, if you are not sure, always contact the company directly!

How to Verify a Security Certificate

Look for the lock icon on the lower frame of your browser; on a secure site it should appear locked. If you click on this, you can verify the security certificate. In general, browsers recognize only trustworthy Certificate Authorities, but be aware that untrustworthy Certificate Authorities can be added manually by anyone who has access to your computer.

Check the URL of a Link Without Clicking On It

You can check the URL of a link, without clicking:

• run your mouse over the link (don't click) and look at the URL that is displayed on the bottom bar of your browser. (If it is too long, you won't see it all.)
  and / or
  
• view the raw html source; from the browser's main menu, select "View" and then "Page Source". (Different browsers may use slightly different wording.)

Report Phishing And Help Catch the Phisher

Forward the entire email, with full headers turned on (for tracking), to the legitimate organization being impersonated in the message. Most organizations have information on their websites about where to report problems. Access the company through a web address that you know to be genuine, not from a link in the email. Do not click on the email thinking you are going to get to the legitimate site.

You may also report phishing scams to local law enforcement authorities or as directed in the following websites.

In Canada:

• RECOL.ca (Reporting Economic Crime On-Line)
• PhoneBusters (The Canadian Anti-Fraud Call Centre)

In the United States:

• Internet Crime Complaint Center (a joint project of the FBI and National White Collar Crime Centre)
• Identity Theft Website of the Federal Trade Commission

It is an unfortunate fact that many of these scams originate from parts of the world where cooperation in enforcement is difficult -- if not impossible -- to obtain.

---

	Secrets and Lies: Digital Security in a Networked World by Bruce Schneier
	Beyond Fear: Thinking Sensibly about Security in an Uncertain World by Bruce Schneier
	The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin D. Mitnick, William L.Simon
	The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick, William L. Simon, Steve Wozniak
	Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It by Tsutomu Shimomura, John Markoff

---

Phishing References

These sites provide additional information about phishing, how to recognize it and what to do about it.

EBay -- Spoof Email Tutorial
PayPal Security Center
How Not to Get Hooked by a 'Phishing' Scam
Phishing: A new form of identity theft

---

Link to this page

Knowledge is power. The Bitmill Inc. encourages links to our site. While your links to our site are much appreciated, please note that reciprocal links will be considered subject to relevance and quality. To link to this page, please cut and paste the following HTML code into your web page source file.

<a href="http://www.thebitmill.com/articles/phishing.html">The Bitmill&#174; Inc. -- Phishing 101</a>

Thank you for your interest and support.

Home | Site Map | Products | Services | Resources | Articles | Privacy Policy | Legal | Contact

© 2003-2006 The Bitmill Inc.
All Rights Reserved.