Phishing and Pharming

As people wise up to Phishing, evil-doers are switching to "Pharming" to separate the unwary from their money. Phishing is used to fool the user. Pharming silently routes your browser to fake websites. There you are relieved of your account number, password or even your identity.

Phish nets and phishing lures

Phishing is the one of the main ways that cyberthieves scam people online. The phish bait is usually a spam email message, often clever enough to fool some experts. The message appears to come from a legitimate place - many times a financial agency.

The objective of Phishing is get enough personal details from the victims to access to their accounts by hook or by crook. Worse yet, they may be able to steal their identity. Phishing pays because there's always a few phish biting.

The message often incorporates graphics lifted from the real financial agency's webpages. Bank of America, Sprint, AOL, eBay, Yahoo!, Citibank, American Express, and many other organizations have been targets. The message may ask for information directly, or lead to a skilfull counterfeit of the agency's website. This last approach fools people who know it's not smart to reply to email with personal details. When you log in to the fake site the scammer collects everything you entered.

An example is a message that says you need to "update" or "validate" your account information. It usually includes a warning that something drastic will happen if you don't respond immediately. Other messages offer something that's too good to be true. Telephone calls are also used as bait in this kind of scam. [examples]

Don't get hooked

A sensible business should never send a message asking for personal details. Never follow links in an email message that directs you to take some action -- even if the message looks perfectly legitimate.
If the message has a general salutation like "Dear Valued Customer" or "Please Confirm" instead of being specifically addressed to you by name, do not click any links.
If there are spelling or grammar mistakes -- if the email just doesn't look professional, do not click any links.
Hover your mouse pointer over links in the body of the email. The real destination of the links should be displayed. If the address looks strange or unlikely, do not click any of the links.
If you just can't resist checking out an urgent request or warning, use a bookmark/favorite or type the address to go directly to the firm's Web site. Or contact the organization directly by phone.

More on the Web

Merchant Services' Online Fraud Prevention has useful information similar to this webpage.

Paypal has a nice 3-part Anti-Phishing Guide that applies to most other phishing situations that you might run into. [alternate link]

The Anti-Phishing Working Group has good advice on how to keep from getting hooked. The National Consumers League also has a good guide.

The Wikipedia page on phishing.

Much more on the Web :-)

Anti-phishing tools

Don't rely on the anti-phishing tools listed here to protect you. They can serve as a safety-net, but make sure your trapeze skills are sharp too. ;-)

The free WOT (Web of Trust) add-on for Firefox warns you before you interact with risky websites. It will help keep you safe from scams, identity theft, spyware, spam, viruses and unreliable shopping sites.

Google Safe Browsing alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. Unfortunately, it's now an integral part of the Google Toolbar.

Current versions of Internet Explorer 8, Firefox and Chromeincorporate anti-phishing filters that provide useful alarms. But don't rely on them completely. They often don't know about most recent phishing expeditions yet.

Phishing is becoming more devious.

In one of the latest eBay scams, when you click a link in the in the email, it opens a real eBay page, with a fraudulent form on top of it. The form sends your personal information right to the phisher.

Another new email scam installs a Trojan horse known as "Sepuc". The e-mail has no visible text in the body of the message. The message attempts to install a small amount of malicious code when the victim opens it. The code downloads and installs the Trojan horse, which trawls for personal details to send to the scammer. Victims have no idea that they're being spied on.

Phishing now invades search engines like Yahoo!, Google and MSN. It's really quite simple. Just put a malicious webpage online that contains words commonly searched for. The page will come up in the search results, and people will click on your site. When they do, install a key logger on their computer and it will steal passwords, account numbers and anything else they enter on their keyboard.

Phishers are also buying ads on search results pages from search engines like Google and Bing. When you click the ad, you're taken to the same kind of malicious webpage described in the paragraph above.

• map of security section

• pharming for phish
• step 6: dodging the dangers
• know how to avoid trouble
• avoid deception online

• email security
• web smarts
• catalog of threats
• elements of defense
• security software
• strong passwords
• 7 steps to security
• bullet-proof security
• WiFi and hotspot security
• how to wipe your hard drive
• how to remove malware

• attack vectors: deception: the #1 threat; spam and scams; phishing; bogus and booby-trapped webpages; poisoned ads, comments, etc.; popup warnings; drive-by email; attachments; downloads; social and p2p networks; hackers and worms
• malicious content: spyware; viruses and worms; trojans

"Email that purports to be from a financial institution is likely to be hiding phish hooks in the sushi." --Curmudgeon