The Bitmill® Inc.

Link To This Page

Phishing Scams 101

Phishing = Fishing for Information

The Phisher's Catch
The Bait
Spot the Phisher
Catch the Phisher

Internet Phishing - The Catch

Victims are lured to fake but legitimate-looking websites, under the pretense of updating their personal or account information. The goal of this is twofold:

  1. To try to get the victim to disclose sensitive personal information such as:
  2. To download a virus, which can, without your knowledge:
    • steal personal and other information that is stored on your computer
    • install key loggers and other spyware, to monitor you
    • destroy your data
    • disable your computer
    • use your computer to send massive amounts of spam email

These may be identity theft attacks. Identity thieves can rack up bills and commit crimes -- in your name. The resulting damages of identity fraud can be financially devastating and your privacy could be seriously compromised. The best defense from identity theft fraud is to recognize phishing attacks (online and off), do not respond, and report them.

Online Phishing - The Bait

Phishers use emails, instant messages, or popups, that look like they are from an official trusted source, but really contain linkages to malicious sites.

Spot the Phisher and Do Not Bite

Be skeptical, be suspicious, and if you are not sure, always contact the company being impersonated directly and immediately!

If you get an email claiming to be from a reputable business but asking for private information:

Recognize And Prevent Phishing In Email

Greeting

The greeting line of a phishing email is typically generic, such as "Dear (Company) Member". Legitimate emails are usually personalized, such as "Dear Isaac Newton". If you have done business with the real company, they know your name. But beware, a phisher may have found your real name by some other means.

The Sender's Email Address

The sender's email address is not a good indicator of the origin of an email. Phishers typically (and easily) forge this field.

Tone

Phishers ask you to update, validate, or confirm your information, often with a false sense of urgency and dire consequences if you ignore it.

Legitimate companies will usually ask you to call them at a verifiable phone number or ask you to login to their website independently of the email.

Links and URL's -- Always check before you click.

Phishers use deception to try to give the appearance of legitimacy. Look carefully at the link. Forms of trickery include:

Legitimate companies use secure domain names (such as https://www.company.com) whenever sensitive information must be transfered. Never log into a company through a link in an email unless you are expecting a verification notice and you are sure it is from that company. Before submitting any information on a website, always verify the security certificate first.

Clicking on a fraudulent link can net the Phisher his catch, and you and your computer are the phish.

Emails that Look Like Websites

Phishing emails may look like websites and try to get you to enter your personal information. Legitimate companies will never ask you to enter personal information in an email.

Style of Writing

Phishers often use poor spelling, bad grammar, missing words and logic gaps, in an attempt to get around spam filters. Legitimate businesses use proper business communication, and while they may not be perfect, the writing is generally far superior to that found in phishing emails.

Connection Security

When you enter information in a web session, make sure "https://" (a secure connection) begins the URL. Be sure to verify the security certificate. This is not foolproof. Some phishers have forged security icons.

Pop-up Boxes

Legitimate companies do not (or should not) use popups in email, as popups may not be secure

Attachments

Attachments in phishing emails are very dangerous; they may be virus- or spyware-laden. Do not open these and delete them immediately after reporting the scam.

Above all, if you are not sure, always contact the company directly!

How to Verify a Security Certificate

Look for the lock icon on the lower frame of your browser; on a secure site it should appear locked. If you click on this, you can verify the security certificate. In general, browsers recognize only trustworthy Certificate Authorities, but be aware that untrustworthy Certificate Authorities can be added manually by anyone who has access to your computer.

Check the URL of a Link Without Clicking On It

You can check the URL of a link, without clicking:

Report Phishing And Help Catch the Phisher

Forward the entire email, with full headers turned on (for tracking), to the legitimate organization being impersonated in the message. Most organizations have information on their websites about where to report problems. Access the company through a web address that you know to be genuine, not from a link in the email. Do not click on the email thinking you are going to get to the legitimate site.

You may also report phishing scams to local law enforcement authorities or as directed in the following websites.

In Canada:

In the United States:

It is an unfortunate fact that many of these scams originate from parts of the world where cooperation in enforcement is difficult -- if not impossible -- to obtain.


Secrets and Lies: Digital Security in a Networked World by Bruce Schneier Secrets and Lies: Digital Security in a Networked World
by Bruce Schneier
Buy from Amazon
Beyond Fear: Thinking Sensibly about Security in an Uncertain World by Bruce Schneier Beyond Fear: Thinking Sensibly about Security in an Uncertain World
by Bruce Schneier
Buy from Amazon
The Art of Intrusion The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers
by Kevin D. Mitnick, William L.Simon
Buy from Amazon
The Art of Deception The Art of Deception: Controlling the Human Element of Security
by Kevin D. Mitnick, William L. Simon, Steve Wozniak
Buy from Amazon
Takedown: The Pursuit and Capture of Kevin Mitnick Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw-By the Man Who Did It
by Tsutomu Shimomura, John Markoff
Buy from Amazon

Phishing References

These sites provide additional information about phishing, how to recognize it and what to do about it.

EBay -- Spoof Email Tutorial
PayPal Security Center
How Not to Get Hooked by a 'Phishing' Scam
Phishing: A new form of identity theft
Custom Search

Link To This Page

Knowledge is power. The Bitmill Inc. encourages links to our site. To link to this page, please cut and paste the following HTML code into your web page source file.

<a href="http://www.thebitmill.com/articles/phishing.html">Protect Yourself From Phishing 101</a>

Your link will look like this:
Protect Yourself From Phishing 101

Thank you for your interest and support.

Valid XHTML 1.0!Valid CSS!