Phishing. No pole required.

Phishing is a crime being perpetuated on the unsuspecting computer user to gather private information. Phishing uses technical means such as e-mail, instant messaging (IM) or phone calls to request information such as passwords or login names. Phishing has been around for years, but is becoming more prevalent. Early attempts at phishing were used to steal access to people's online computer accounts (i.e. web-based email), which were then used to send spam or send out copies of pirated software.

Modern phishing often focuses on more direct means to financial gain...namely getting access to your bank, credit card or other financial accounts (i.e. PayPal, E-bay).

Victims of phishing will receive a message from the attacker that asks for specific personal or private information. For example:

  • Mr. Smith, due to problems with your PayPal account, we need to validate your username and password.
  • Ms. Wilson, we are upgrading our servers and need all account holders to provide additional important account information, such as date of birth and address.
Some of these messages can be extremely realistic looking, with authentic looking logos, etc. Many will include dire threats, like the PayPal example to the right. Click it for a larger version. The message will often provide a web-site to visit where the victim can input their data. Close examination of the web-site address (URL) will show that the web-site is not the real web-site. For example:
www.usabank.login.com might fool some people into believing they were really going to a login site associated with www.usabank.com.


Your Brain: Your best defense against phishing is to be constantly on guard. Companies have no need to ask you for your username or your password to revalidate your account, etc. If anyone asks you to provide additional information about yourself or account, after you have set up the account originally, then immediately contact the company directly using one of the following methods:
  • Use your browser and type in the real URL for the company you are dealing with and verify on their website whether they are changing their data gathering requirements (guaranteed...if they need more info from you, it will be listed on their homepage).
  • Find the phone number for the company (i.e. the number on the back of your credit card or on your company's true website) and give them a quick call.
Anti-phishing Technology: Other defenses include technologies that are being included with modern browsers such as Firefox 2 and Internet Explorer 7. Firefox uses as part of it's anti-phishing technology a list of known phishing sites. When you attempt to visit such a site, Firefox will notify you that the site is bogus. Firefox has a test site set up to allow you to see how their system works: http://www.mozilla.com/firefox/its-a-trap.html

As soon as you visit the site, Firefox will produce a warning notice that allows you to leave the site immediately or to ignore the warning. See example below.

Anti-spam Filters: Additionally, anti-spam filters for your email will help to keep most spam-based phishing messages out of your inbox in the first place.

Good luck and safe surfing.


No comments: