What are phishing
scams and how can I avoid them?
Phishing explained
Phishing scams are typically fraudulent email messages
appearing to
come from legitimate enterprises (e.g., your university, your
Internet service provider, your bank, eBay, etc.). These messages
usually direct you to a spoofed web site and ask you for private
information (e.g., password, credit card, or other account
updates). The perpetrators then use this private information to commit
identity theft.
An example of a phishing attempt is an email message
stating that you
are receiving it due to fraudulent activity on your account, and
asking you to "click here" to verify your information. For more
examples, see:
http://www.antiphishing.org/phishing_archive.html
To really get your awareness up, see the Field Guide to
Phishing (its is really funny and kewl), thentake the Phishing IQ
test at
http://www.sonicwall.com/phishing/
How to avoid them
To avoid phishing scams, never click the links provided
within these
types of email messages. If you feel the message may be legitimate, go
directly to the company's web site (i.e., type the real URL
into your browser) or contact the company to see if you
really do need to take the action described in the email
message. Delete the email
message from your Inbox, and then empty it
from the deleted items folder to avoid accidentally accessing the web
sites it points to.
You should also always read your email as plain text.
Phishing
messages often contain clickable images that look legitimate; by
reading messages in plain text, you can see the URLs that any images
point to. Additionally, when you allow your mail client to
read HTML or other non-text-only formatting, attackers can
take advantage of your mail client's ability to execute code, which
leaves your computer vulnerable to viruses,
worms, and
Trojans. For more information, Indiana University has a great document In Windows, how do I force my
email client to display mail as text-only?
Warnings
Reading email as plain text is a general best practice
that, while
avoiding some phishing attempts, won't avoid them all. Some legitimate
sites use redirect scripts that don't check the
redirects. Consequently, phishing perpetrators can use these scripts
to redirect from legitimate sites to their fake sites.
Another tactic is to use a homograph attack, which, due
to
International Domain Name (IDN) support in modern browsers, allows
attackers to use different language character sets to produce URLs
that look remarkably like the authentic ones. For more information,
see:
http://db.tidbits.com/getbits.acgi?tbart=07983
Reporting
phishing attempts
Make it stop!
Before you delete the phishing email, you can report these phishing
scam attempts to the company that's
being spoofed. If you forward the message to
pirt@castlecops.com
they have volunteer
handlers that will track down the ISP and the hosting site and get
it shut down legally. You can also send reports to the Federal Trade
Commission (FTC) at the following URL:
https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01
Depending on where you live, some local authorities also
accept
phishing scam reports. And finally, you can send details to the
Anti-Phishing Working Group, which is building a database
of common scams to which people can refer:
http://www.antiphishing.org/
|