Phishing Scams 101
Phishing = Fishing for Information
- Phishing is a form of Social Engineering.
- Phishing is also known as spoofing, or hoaxing.
- Phishers use direct messaging, email, or popups.
- Phishers may claim to be, but aren't really, from a business or organization that you might deal with (such as ISPs, banks, online payment services and government agencies).
- Phishers may also claim to be from an organization that you have never had an association with.
- Phishing is a numbers game; these mass spammers hope to connect with a percentage of recipients.
- Spear phishing is a more direct, targeted form of phishing. It may claim to be from the well respected head of your company or university I.T. or H.R. department and sound very convincing. Don't bite.
- Phishers may ask you to update, validate, or confirm your account information. They usually say it is urgent, with dire consequences if you ignore it.
- Phishers might try to send you to a website that looks just like a legitimate organization's site, but isn't.
The Bait
Spot the Phisher
Catch the Phisher
Internet Phishing - The Catch
Victims are lured to fake but legitimate-looking websites, under the pretense of updating their personal or account information. The goal of this is twofold:
- To try to get the victim to disclose sensitive personal
information such as:
- passwords (see Secure Your Passwords and Passwords in Email)
- bank account information
- credit card numbers
- personal vital information
- To download a virus, which can, without your knowledge:
- steal personal and other information that is stored on your computer
- install key loggers and other spyware, to monitor you
- destroy your data
- disable your computer
- use your computer to send massive amounts of spam email
These may be identity theft attacks. Identity thieves can rack up bills and commit crimes -- in your name. The resulting damages of identity fraud can be financially devastating and your privacy could be seriously compromised. The best defense from identity theft fraud is to recognize phishing attacks (online and off), do not respond, and report them.
Online Phishing - The Bait
Phishers use emails, instant messages, or popups, that look like they are from an official trusted source, but really contain linkages to malicious sites.
Spot the Phisher and Do Not Bite
Be skeptical, be suspicious, and if you are not sure, always contact the company being impersonated directly and immediately!
If you get an email claiming to be from a reputable business but asking for private information:
- Do not reply to the email.
- Do not submit personal information.
- Do not click on any links contained in the email. Check the links without clicking.
- Help law enforcement catch the phisher.
- Delete the email.
- Before submitting information on any website, always verify the security certificate.
Recognize And Prevent Phishing In Email
Greeting
The greeting line of a phishing email is typically generic, such as "Dear (Company) Member". Legitimate emails are usually personalized, such as "Dear Isaac Newton". If you have done business with the real company, they know your name. But beware, a phisher may have found your real name by some other means.
The Sender's Email Address
The sender's email address is not a good indicator of the origin of an email. Phishers typically (and easily) forge this field.
Tone
Phishers ask you to update, validate, or confirm your information, often with a false sense of urgency and dire consequences if you ignore it.
- "We are updating our accounts and need information fast."
- "An unauthorized transaction has recently occurred on your account."
- "You may lose your account if you don't update your information."
- "Please click here to verify your information."
Legitimate companies will usually ask you to call them at a verifiable phone number or ask you to login to their website independently of the email.
Links and URL's -- Always check before you click.
Phishers use deception to try to give the appearance of legitimacy. Look carefully at the link. Forms of trickery include:
- "@" in the URL (link), probably near the end
Your browser might ignore all characters preceding the @ symbol in determining the actual web address; the real web address follows the @, which may be hidden at the end of a very long URL.
http://www.company.com:crafty... ...long... ...string@www.scammer.com
You see the company.com part. This URL really goes to www.scammer.com, which you can't see because the URL string is so long it goes out of the display. Check the URLs without clicking.
- letter-number substitutions, such as letter O, number 0 or letter l, number 1.
- company name compounded with some other word, such as http://companytrustme.com. Just because it has the company name in it does not mean it is from that company.
Legitimate companies use secure domain names (such as https://www.company.com) whenever sensitive information must be transfered. Never log into a company through a link in an email unless you are expecting a verification notice and you are sure it is from that company. Before submitting any information on a website, always verify the security certificate first.
Clicking on a fraudulent link can net the Phisher his catch, and you and your computer are the phish.
Emails that Look Like Websites
Phishing emails may look like websites and try to get you to enter your personal information. Legitimate companies will never ask you to enter personal information in an email.
Style of Writing
Phishers often use poor spelling, bad grammar, missing words and logic gaps, in an attempt to get around spam filters. Legitimate businesses use proper business communication, and while they may not be perfect, the writing is generally far superior to that found in phishing emails.
Connection Security
When you enter information in a web session, make sure "https://" (a secure connection) begins the URL. Be sure to verify the security certificate. This is not foolproof. Some phishers have forged security icons.
Pop-up Boxes
Legitimate companies do not (or should not) use popups in email, as popups may not be secure
Attachments
Attachments in phishing emails are very dangerous; they may be virus- or spyware-laden. Do not open these and delete them immediately after reporting the scam.
Above all, if you are not sure, always contact the company directly!
How to Verify a Security Certificate
Look for the lock icon on the lower frame of your browser; on a secure site it should appear locked. If you click on this, you can verify the security certificate. In general, browsers recognize only trustworthy Certificate Authorities, but be aware that untrustworthy Certificate Authorities can be added manually by anyone who has access to your computer.
Check the URL of a Link Without Clicking On It
You can check the URL of a link, without clicking:
- run your mouse over the link (don't click) and look at the URL
that is displayed on the bottom bar of your browser. (If it is too
long, you won't see it all.)
and / or - view the raw html source; from the browser's main menu, select "View" and then "Page Source". (Different browsers may use slightly different wording.)
Report Phishing And Help Catch the Phisher
Forward the entire email, with full headers turned on (for tracking), to the legitimate organization being impersonated in the message. Most organizations have information on their websites about where to report problems. Access the company through a web address that you know to be genuine, not from a link in the email. Do not click on the email thinking you are going to get to the legitimate site.
You may also report phishing scams to local law enforcement authorities or as directed in the following websites.
In Canada:
In the United States:
- Internet Crime Complaint Center (a joint project of the FBI and National White Collar Crime Centre)
- Identity Theft Website of the Federal Trade Commission
It is an unfortunate fact that many of these scams originate from parts of the world where cooperation in enforcement is difficult -- if not impossible -- to obtain.
 |
Secrets and Lies: Digital Security in a
Networked World |
  |
 |
Beyond Fear: Thinking Sensibly about
Security in an Uncertain World |
 |
 |
The Art of Intrusion: The Real Stories
Behind the Exploits of Hackers, Intruders and
Deceivers |
|
 |
The Art of Deception: Controlling the
Human Element of Security |
 |
 |
Takedown: The Pursuit and Capture of
Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who
Did It |
 |
Phishing References
These sites provide additional information about phishing, how to recognize it and what to do about it.
EBay -- Spoof Email TutorialPayPal Security Center
How Not to Get Hooked by a 'Phishing' Scam
Phishing: A new form of identity theft
Link To This Page
Knowledge is power. The Bitmill Inc. encourages links to our site. To link to this page, please cut and paste the following HTML code into your web page source file.
<a href="http://www.thebitmill.com/articles/phishing.html">Protect Yourself From Phishing 101</a>
Your link will look like this:
Protect Yourself From Phishing 101
Thank you for your interest and support.
