Case Security
Awareness: 2010-2011
What are phishing
scams and how can I avoid them?
Phishing explained
Phishing scams are typically fraudulent email
messages appearing to come from legitimate enterprises (e.g., your
university, your
Internet service provider, your bank, eBay, etc.). These messages
urge you either to reply with your user name and password or to click
on a hyperlink that takes you to a bogus website where you are asked to
input private
information (e.g., password, credit card, or other account
updates). The perpetrators then use this private information to commit
identity theft.
Symantec has a great video on the subject that
gets the user the basics in a pretty entertaining manner- see Internet
Scary
Stuff-
Phishing.
For examples of typical phishing tactics, see:
http://www.antiphishing.org/phishing_archive.html
To really get your awareness up, see the Field Guide to
Phishing, then take the Phishing IQ
test at http://www.sonicwall.com/phishing/
How to avoid them
To avoid phishing scams, never click the links
provided
within these
types of email messages. If you feel the message may be legitimate, go
directly to the company's web site (i.e., type the real URL
into your browser) or contact the company to see if you
really do need to take the action described in the email
message. Delete
the
email
message from your Inbox, and then empty it
from the deleted items folder to avoid accidentally accessing the web
sites it points to.
You should also always read your email as plain
text.
Phishing
messages often contain clickable images that look legitimate; by
reading messages in plain text, you can see the URLs that any images
point to. Additionally, when you allow your mail client to
read HTML or other non-text-only formatting, attackers can
take advantage of your mail client's ability to execute code, which
leaves your computer vulnerable to viruses,
worms,
and
Trojans.
For
more
information, Indiana University has a great document In Windows, how do I force my
email client to display mail as text-only?
Warnings
Reading email as plain text is a general best
practice
that, while
avoiding some phishing attempts, won't avoid them all. Some legitimate
sites employ redirect scripts that don't check the
redirects. Consequently, phishing perpetrators can use these scripts
to redirect from legitimate sites to their fake sites.
Another tactic is to use a homograph attack,
which, due
to
International Domain Name (IDN) support in modern browsers, allows
attackers to use different language character sets to produce URLs
that look remarkably like the authentic ones. For more information,
see:
http://db.tidbits.com/getbits.acgi?tbart=07983
Reporting
phishing
attempts
Make it stop!
Before
you
delete
the
phishing email, you can report these phishing
scam attempts to the company that's
being spoofed.
You can report spoofed login or personal-data-capturing websites to
Google: Google's
Safe
Browsing
Phish
Report
Google will then label it a phishing site and flash a warning banner (click for an example) to
all subsequent
users.
The Case Help Desk (216) 368-4357 can help if
you:
• have received an email you suspect is a scam
• have responded to a scam email with your Case
account credentials
• need help changing your password.
More information is available at
http://help.case.edu
When in doubt, call a Trusted Human!
|
