Phishing: How Not to Get Hooked
Introduction
It seems like you're hearing more about phishing attacks or receiving more phishy emails than you did a year ago, you're not imagining it. According to the recent Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG), the total number of unique phishing reports submitted to APWG in January 2008 was 29,284, an increase of over 3,600 reports from the previous month. At that time, the United States moved back to being the top hosting country for password-stealing malicious code (43.39%), after being eclipsed by China in December, as well as #1 in hosting phishing web sites (37.25% of all such web sites).
Newspapers, blogs and RSS feeds carry sad sagas of lost identities and pilfered life savings on an all too frequent basis. Consider the recent stories In an Instant, Retirement Savings Vanish published by MSNBC, or the Washington Post's Not Your Average Phishing Scam. [ Visit APWG's Phishing and eCrime Newswire for more news. ]
Even if you haven't fallen a victim to this ubiquitous crime, improve your odds by following the steps listed below. Remember, the identity, headaches and $$$ you save may be your own.
What is Phishing?
According to the APWG:
"Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.
Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit web sites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond.
Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning."
Extra: Origin of the term on "phishing"
How to Protect Yourself
The simplest 1-2-3 advice is: 1. Be wary 2. Stay vigilant 3. Use common sense. For a few specifics, follow this APWG list of tips to prevent being hooked by a phishing attempt:
- Be suspicious of any email with urgent requests for personal financial information.
- Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't know the sender or user's handle.
- Avoid filling out forms in email messages that ask for personal financial information.
- Always ensure that you're using a secure web site when submitting credit card or other sensitive information via your Web browser.
- Remember not all scam sites will try to show the "https://" and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like "http://www.gotyouscammed.com/paypal/login.htm?" Be aware of where you are going.
- Consider installing a web browser tool bar to help protect you from known fraudulent web sites. These toolbars match where you are going with lists of known phisher web sites and will alert you.
- Regularly log into your online accounts.
- Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate.
- Ensure that your browser is up to date and security patches applied .
- Report "phishing" or “spoofed” e-mails.
Read the full article Consumer Advice: How to Avoid Phishing Scams for more details. See also the FTC Consumer Alert: How Not to Get Hooked by a 'Phishing' Scam.
Extra: Archive of reported phishing scams
Sharpen and Test Your Skills
There are several excellent tutorials to help you spot phishing attempts and learn how to avoid them, and quizzes to test your awareness of various phishing tactics. You may wish to check out one or more of the following listed here.
Tips, Tutorials & Videos
Phishing vs. Pharming video (ZDnet)
Tips to avoid phishing scam (from "LooksTooGoodToBeTrue.com")
AT&T Online Tutorial
What you should know about phishing scams (Microsoft)
Overview of Phishing Scams
Spotting a Phishing Scam in Your Email
10 Tips to Combat Phishing (from Panda Software)
Quizzes
Phishing Scams: Avoid the Bait (from OnguardOnline.gov)
SonicWALL Phishing IQ (formerly the MailFrontier Phishing IQ)
Morning Mail Messages
Alerts of phishing attempts targeting Brown email users:
Spam email messages from your own address? (Jan 20, 2009)
Phishing Scam Alert from Information Security (Aug 27, 2008)
Brown Webmail/Spam Phishing Scam Resurfaces (Jun 19, 2008)
Phishing Scam (May 10, 2008)
New phishing scam asks for your Brown password (Nov 28, 2007)
Your Account is Suspended - NOT! (Nov 14, 2005)
Recent Electronic Attacks have some Users Guessing (Jun 14, 2005)
Other warnings regarding phishing attempts:
It’s Phishing Season - 24/7/365 (Feb 21, 2008)
2007: The Year of the Big Hook? (Jan 23, 2007)
eCards May Deliver More Than Holiday Greetings (Nov 27, 2006)
New Social Security E-mail Scam (Nov 10, 2006)
Phishing With a Twist (Sep 19, 2006)
Be Wary of Phishing Messages from the IRS and SSA (Feb 28, 2006)
Latest phishing scam - don't get hooked! (Feb 1, 2006)
Phishing Scams Increase for Holiday Shoppers (Dec 2, 2004)
Something phishy going on? How not to get hooked! (Jul 8, 2004)
Contact Us
For general information security questions or to report a computing security incident, contact ISG@brown.edu.
