What is Phishing and why does it matter to me?
Wednesday, March 12th, 2008What is phishing?
Phishing is not something you do on a boat with a rod and reel. Phishing (notice the ‘ph’ in the front of this word) is a practice that some deviants do to attempt to get sensitive information from you, all the while, disguising themselves as a company you may trust.
For example, I have a PayPal account. A phishing expert may send me an email saying “Your PayPal account is about to close” or something to the degree that will make you urgently act on this email. Inside the email, they may ask you to login to your paypal account and enter your credit card data or bank account information. If you don’t, your PayPal account will expire. In the email, they will provide a link to login and the design of the email will look exactly like PayPal. Is this email really coming from PayPal? No! The phishers are sending you to a phony website that looks and feels just like PayPal, so you will enter your credit card or bank information for them to steal!
How can you tell the difference between a phishing email and a legitimate email?
Each company has it’s own policies on phishing. For example, here at netMouser.com, we will NEVER ask you for account information, credit card numbers, or any other sensitive information in an email. If we have a question or need information from you, your sales representative will contact you personally. Since all of our clients are assigned a dedicated sales rep, they know who to trust. If for any reason, they are unsure, I encourage them to call me personally.
In my example above, I used PayPal because I too have received numerous email phishing messages from phishers who claim to be PayPal. I must say, I am very impressed with PayPal’s proactive stance on phishing and the resources they give to their members to insure that they are not fooled by a phishing attempt. In fact, they have an extensive security section on their website that devotes resources to phishing and other security related issues.
What to look for in a phishing email attempt.
In most phishing emails, the URL or link they place in the message is normally an IP address or a website address that is similar to the company you are familiar with…but not the exact web address. An example of an IP address link would look something like this PayPal phishing example I found on Wikipedia. Notice the yellow hightlighted IP address under the “Click to verify your account.”
What are all the methods of Phishing?
Wikipedia has a great listing on the methods used by phishers. Of course, you can probably expect this list to grow because as technology grows, so do the methods phishers use.
- Link Manipulation - this is the example I gave you above. Where a phisher will disguise an email or website link as an IP address or another website address that is not the real website of the company they are trying to act as.
- Filter Evasion - this is a technique where phishers use images instead of text, making it harder for anti-phishing filters to detect text commonly used in phishing emails.
- Website Forgery - creating a website that looks and feels like the trusted company is just one factor. There are several other advanced scripting methods utilizing java script that replace a URL in the address bar…or even open your browser to a legitimate site and then quickly closing the site and opening to a new phishing site within a split second. Read the Wikipedia article for more on website forgery.
- Phone Phishing - Yes…phishing can also be done over the telephone. Some phishers leave phone messages on a voice mail claiming to be a bank & asking them to call their 800 number due to account related issues. What some people don’t realize is the toll free number is really set up by a phisher and they are prompting people to enter their account details in order to fraud them.
How can I protect myself from a phishing attempt?
I, personally, have a few general rules about phishing and how to make sure I am not a victim.
If I receive an email from a company that is asking me to login to my account for any reason, I will do one or all of the following:
- I will NEVER click the link in the email message.
I will instead open up my web browser and type in the website address directly into the address bar to go directly to the source. This will enable me to login to my account on the company’s website on my own…without using a link from the phishing email. Then, once inside my account, I can look for any messages from the company.
- I will call the company and ask if they sent me the email message.
This is very important because if you are truly uncertain about the message…call the company! It never hurts and it’s always better to be safe than sorry. In fact, if the company didn’t know there was a phishing email circulating to its’ customers, they will be glad to hear about it and will take action to insure their other clients know not to trust the message.
If I receive a voice mail from a bank or other company stating there is a problem with my account, I will:
- Go to my filing cabinet and look for a legitimate bank statement and call the number on my statement.
Never call the number they leave on your voice mail. Always verify the number by looking at the company’s most current statement or invoice.
- Read the back of my credit card.
I will open my wallet and pull out the credit card that may be in question and turn the card over to review the toll free number for that credit card account’s Customer Service line…and then I will call that number. Not the number that was left on my machine.
Hopefully this blog post will help people to identify the common techniques used and to insure that you are not a victim of phishing scams. Remember my philosophy of always being safer than sorry. If you are ever in question of a communication effort made by a company…call them and ask. You will rest assured knowing that you were not a victim and may be helping thousands / millions of other customers from making the same mistakes.