Protecting Yourself From Phishing
Posted on September 4, 2007 by Eric
Filed Under Security
This article is part of the Securing Your Money Online series.
Pay attention! There will be a quiz at the bottom of this article.
Phishing, as defined by Wikipedia :
In computing, phishing is a criminal activity using social engineering techniques.[1] Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out by email or instant messaging,[2] and often directs users to give details at a website, although phone contact has been used as well.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.
Typically, phishers try to get sensitive information like account numbers and passwords by sending emails that appear to be from a trusted source like Bank of America. Sometimes the emails have subtle (or even obvious) mistakes that can give you a clue that the email isn’t really from the trusted source, and other times they look convincingly real.
These emails will usually encourage you to visit the website to update some information. For instance, they might say that your account has been compromised and you need to click a link to contact them. That link will take you to a page that the criminals own and prompt you to give up account details or personal information they can use to steal your account or identity. After going through all the work to save your money, invest wisely, and plan for the future, you definitely don’t want to lose it to a phishing attack.
A few things to look for to determine if the email is a phishing email :
- Does the URL point to the website you would expect (e.g. if it’s from Chase, does it point to chase.com, or something else?)
- If you look at the contents of the URL, does the start of the URL appear odd (are there characters like :,% or @ near the beginning? learn how to recognize URL obfuscation)
- Does the email contain misspellings or grammatical errors?
- Are you sure you even have an account with the bank or institution that sent the email? (I get these for places like SunTrust bank where I’ve never had an account)
Most folks are savvy enough to understand that when an email comes to your inbox from Paypal, or maybe eBay, and it’s filled with misspellings and strangely worded sentences, that it’s probably not legitimate. I just read a story at the Frugal Law Student where a phisher attempted to trick him into entering his Paypal information so that they could steal his account information. It was easy to spot in his case, but the criminals are getting better with their emails, and some of them look downright legit. It takes more than a keen eye to spot some of the more advanced phishing that has been going on. Note: I wouldn’t recommend clicking on any links you get that look like they are from phishers as many times these sites also attempt to install malware or spyware.
According to the stats at Phishtank, there are over 10,000 verified phishing sites on the net right now.
Protecting Yourself Through Email
Email readers like Microsoft Outlook and Mozilla Thunderbird have phishing protection services that can sometimes identify phishing emails. These services usually look for a few key things :
- Is the link sent in the email from the same source as the sender of the email (e.g. www.paypal.com is the website, and the sender is user@paypal.com)
- Do the email headers show what appears to be a legitimate route for the email to follow (e.g. it’s from www.paypal.com and used Paypal’s email servers)
- Do the links in the email look suspicious? There are many things that phishers do to make their links look legitimate that can be spotted by knowing what to look for
The best advice I can give, and the advice I give my family and friends, is to avoid clicking on links in your email at all. Even if they look legitimate, unless you absolutely know the source to be legitimate and even then I still wouldn’t recommend clicking on the link directly from your email.
If your bank sends you an email and says that you need to update your profile or update information on your account, don’t click on the link they provide. Go directly to your bank via the URL for bank (usually pretty easy to find in Google if you don’t know it for sure). If your bank truly needs that information to be updated, they should indicate it somehow when you log in by going to the site directly.
I would also recommend that you avoid calling the numbers that might be included in some phishing emails. The ease with which a phisher can setup a fake phone front-end that appears to be your bank when you dial-in is reason enough to avoid calling. Go find your last statement, or look at your credit card, call information, or Google for the phone number yourself. This new form of phishing is relatively uncommon (at least for now), but it’s definitely something to watch out for. It’s getting easier and easier for criminals to setup.
Protecting Yourself Through Your Browser
If you do happen to click on a link (didn’t you hear what I just said?!?!), your browser can help you determine if you’ve hit a phishing site. Internet Explorer 7 has some built in phishing features, and Mozilla Firefox provides built-in protection as well as a myriad of extensions to help protect you from phishing. To test your Firefox built-in protection, you can visit this site at Mozilla.com (WARNING: this site will tell you that it is a phishing site - it’s not, it is for testing, and you will see that behind the warning. However it might surprise you if you aren’t expecting it).
I personally recommend Mozilla Firefox. It’s what I use everyday. You can get it here :
You can also download a toolbar from Netcraft that will help identify when you might be on a phishing site.
These tools can tell if you are on a phishing site by comparing the URL you are currently viewing with known potential phishing sites (they have marked this particular site as a phishing site or possible phishing site), or in some cases from the unusual parameters that might be in the URL itself.
Quizzes
There are several great quizzes put together to test your ability to spot when you are being phished. I highly recommend visiting these links and testing yourself. You may be surprised how hard it can be to spot a possible phishing attempt.
http://www.sonicwall.com/phishing/index.html
http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html
http://www.mailfrontier.com/forms/msft_iq_test.html
http://www.onguardonline.gov/quiz/phishing_quiz.html WARNING - this one has sound.
Additional Resources :
http://en.wikipedia.org/wiki/Phishing
http://www.microsoft.com/protect/products/yourself/OUTLOOKSP2.mspx
http://www.fraud.org/tips/internet/phishing.htm
http://www.microsoft.com/protect/yourself/phishing/identify.mspx
http://office.microsoft.com/en-gb/outlook/HA011841931033.aspx
http://toolbar.netcraft.com/
If you're new here, you may want to subscribe to our RSS feed, get the posts via email, read more about the blog in our about page, or browse our archives. Thanks for visiting!
Related Posts
Comments
Leave a Reply
Subscribe!
 |
 |
 |
 |
 |
|
 |
About Us
A Penny Closer is for those of us who want to improve how we spend, save, and invest. We want to be able to manage our money so that we can use it to enjoy our lives today while still saving to reach our dreams tomorrow. Read more about us here...
Top Commentators
Suggested Reading
