Theft using Spam and Counterfeit Web Pages
As people wise up to Phishing, evil-doers are switching to "Pharming" to separate the unwary from their purses. Phishing is used to fool the user. Pharming tricks your computer or your Internet connection to route you to fake websites. There you are relieved of your identity and password.
Phish nets and phishing lures
"Phishing" is the number one way that people are scammed online. The bait is usually a spam email message, often clever enough to fool experts. The message appears to come from a legitimate place -- most often a financial agency. The objective of Phishing expeditions is get access to your account, or worse yet, steal your identity. Phishing pays because a few phish are always biting.
The message often incorporates graphics from the real financial agency. Sprint, America Online, eBay, Yahoo!, Citibank, American Express, and many other organizations have been targets. It usually has links that lead to a counterfeit version of the agency's website. This two step approach fools people who know it's not smart to reply to email that asks for personal details. When you log in, the scammer collects what you entered.
An example is a message that says you need to "update" or "validate" your account information. It usually includes a warning that something drastic will happen if you don't respond immediately. Other messages offer something that's too good to be true. Telephone calls are also as the bait in this kind of scam. [examples]
Although no magic bullet may exist now (or ever) to safeguard us all, there is one simple way to protect yourself from the majority of phishing attempts: Never click a link in an e-mail or on a third-party site to go to any of your financial accounts. If, instead, you always use your own bookmark or type in the address, even when you're 100 percent certain that the e-mail is legitimate, you should be safe.
Anti-phishing tools
Don't rely on the anti-phishing tools listed here to protect you. They can serve as a safety-net, but make sure your trapeze skills are well practiced too. :-)
Netcraft launched an anti-phishing system at the start of 2005: You become part of a giant neighborhood watch system when you install their toolbar. The most experienced members of the community report phishing sites and effectively block them for the rest of the community.
Google Safe Browsing alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. It's now an integral part of the Google Toolbar.
Paypall has a nice 3-part Anti-Phishing Guide that applies to most other phishing situations that you might run into. [alternate link]
Internet Explorer 7 (IE7) and Firefox 2.0 incorporate somewhat effective anti-phishing filters that can serve as a useful alarm. I would not rely on them though. In fact I turn them off. :-)
Phishing is becoming more devious.
In one of the latest eBay scams, when you click a link in the in the email, it opens a real eBay page, with a fraudulent form on top of it. The form sends your personal information right to the phisher.
Another new email scam installs a Trojan horse known as "Sepuc". The e-mail has no visible text in the body of the message. The message attempts to install a small amount of malicious code when the victim opens it. The code downloads and installs the Trojan horse, which trawls for personal details to send to the scammer. Victims have no idea that they're being spied on.
Phishing now commandeers search engines like Yahoo!, Google and MSN. It's really quite simple. Just put a malicious webpage online that contains words commonly searched for, and people will click on your site. When they do, install a key logger on their computer and it will steal passwords, account numbers and anything else they enter on their keyboard.
Don't get hooked
A sensible business will never send a message asking for personal details. Never follow links in an email message that directs you to take some action -- even if the message looks perfectly legitimate.
Use your browser go to the organization's Web site directly if you just must check out an urgent sounding request or warning. If there's no information at the website about the alleged problem, contact the organization by phone if you're still concerned.
The Anti-Phishing Working Group has good advice on how to keep from getting hooked. The National Consumers League also has a good guide.
Phishing 101: Straightforward advice from David Coursey at "e.Week.com".
More on the Web
The Federal Trade Commission has a good article -- "How Not to Get Hooked by a 'Phishing' Scam".
SecurityFocus has the details on an elaborate phishing scam with Citibank as the target.
Take the MailFrontier Phishing IQ Test.
Much more on the Web
- • attack vectors
- deception the #1 threat
- phishing #1 deception
- poisoned websites
- poisoned email
- email attachments
- downloads
- spam (scams and phishing)
- hackers and worms
- popup warnings
- • malicious content
- spyware
- viruses and worms
- trojans
- • backup is security job one
- • develop your "web smarts"
- don't get hooked
- guard against spyware
- be careful with email
- fear attachments
- surf safely
- • tighten security settings
- windows
- browsers
- email clients
- • defense tools and software
- firewalls
- hardware firewalls
- anti-virus
- anti-spyware/-malware
- all-purpose security suites
- • patch and upgrade software
- • bonus: double your security
- • test your protection
- • protect your privacy
- • WiFi security