Phishing Primer

Jump to:
What is Phishing? | How to Spot a Phish | How to Protect Yourself | What to do When You Spot a Phish | What to do if You Become a Victim | Sharpen and Test Your Skills

Introduction

It seems like you're hearing more about phishing attacks or receiving more phishy emails than you did a year ago, you're not imagining it. According to the Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG):

  • The total number of phish observed in Q3 of 2013 was 143,353, a 20 percent increase over Q2’s 119,101 (the rise was generally attributable to an increased number of attacks against money transfer sites and retail/commerce sites).
  • Malware creation hit a new record high, with APWG member PandaLabs cataloging "nearly 10 million new malware samples from July to September, and PandaLabs observed that the number of new malware samples in circulation in the first nine months of 2013 was larger than the total for all of 2012."
  • During that same period, almost one third (31.88%) of personal computers worldwide were infected with malware (more than 59 percent of PCs in China may have been infected, while Europe continued to have the lowest infection rates).
  • According to Websense Security Labs, "In the third quarter of 2013 we saw a change in the phishing themes used by malware authors. An emphasis on social media-themed subjects, such as ‘Invitation to connect on LinkedIn’, was used to entice users who would be used to seeing such subjects."

» Extra: Visit APWG's Cybercrime News page for stories on recent attacks.

Even if you haven't fallen a victim to this ubiquitous crime and possible identity theft, improve your odds by following the steps listed below. Remember, the identity, headaches and $$$ you save may be your own.

What is Phishing?

According to the APWG:

"Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.

Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit web sites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond.

Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning."

» Extra: Origin of the term on "phishing"

How to Spot a Phish

A few clues that the message is phony and can be dangerous:

  • The TO field is blank or for another person.
  • It contains an urgent requests for personal information.
  • It includes grammatical errors or typos.
  • The message is threatening (Do X right now or lose Y).
  • It has a link (or submit button), probably to an unsecured address (NOT https)
  • The message has an attachment.

 

 

How to Protect Yourself

The simplest 1-2-3 advice is: 1. Be wary 2. Stay vigilant 3. Use common sense. For a few specifics, follow this APWG list of tips to prevent being hooked by a phishing attempt:

  • Be suspicious of any email with urgent requests for personal financial information.
  • Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't know the sender or user's handle.
  • Avoid filling out forms in email messages that ask for personal financial information.
  • Always ensure that you're using a secure web site when submitting credit card or other sensitive information via your Web browser.
  • Remember not all scam sites will try to show the "https://" and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like "http://www.gotyouscammed.com/paypal/login.htm?" Be aware of where you are going.
  • Consider installing a web browser tool bar to help protect you from known fraudulent web sites. These toolbars match where you are going with lists of known phisher web sites and will alert you.
  • Regularly log into your online accounts.
  • Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate.
  • Ensure that your browser is up to date and security patches applied.

What to do When You Spot a Phish

  • If you receive a suspicious email and you're not sure if it's a phish, report it to the IT Service Desk (help@brown.edu or 401-863-4357).
  • If you do receive a phish, report it as phishing to Google (from within the message, click on the down arrow to the right of the REPLY button and select "Report phishing"). This will send that message immediately to the GMail Team for analysis and filtering.
  • If you think you might have fallen victim of a phish (or other suspicious email) or are concerned your account may have been compromised, you should take immediate action and complete the following recommendations:
  1. Check the account activity at the bottom of your Inbox, and sign out of all other sessions if found. Also, check your Sent Mail folder to see if anything suspicious has been sent from it.
  2. Change both your Brown and Google passwords (www.brown.edu/myaccount). If you used the same passwords for other accounts, you should change them as well.
  3. Run a scan of your system to check for any malware.
  4. Check your Google email settings and remove any suspicious accounts. (Go to Settings > Accounts > Send Mail As)
  5. Check your Google drive for any suspicious files you might find there, especially ones that were created to collect others' information. If you do find any, report this to ISG@brown.edu
  6. If confidential or sensitive information resides on your computer or on your Google Drive, please report this to ISG@brown.edu.

What to do if You Become a Victim

Unfortunately, there is no way for us to track down the scammer. These criminals use fake addresses and relay points around the globe, and usually shut down the servers and addresses in less than 24 hours, while moving on to a new one. Major investigations by the FBI on issues like this take years, and oftentimes have no results. Here are some steps you should take:

  • Change your Brown and Google passwords immediately (www.brown.edu/myaccount). If you use the same passwords in other areas (banking, gmail, facebook, etc), change it there as well.
  • Check the account activity at the bottom of your in-box, and sign out of all other sessions. Also check your Google emails settings, removing any suspicious ones. (Setting > Acccounts > Send Mails As)
  • Check your Google docs for any that were created to collect others' information.
  • Run a virus and malware scan on your computer.
  • Contact the Federal Trade Commission at ftc.gov to file a complaint and log an identity theft concern.
  • Contact the Attorney General Office from the state you reside and log a complaint.
  • Contact the three credit bureaus and place a fraud alert on your SSN (Experian, TransUnion, and Equifax); ask for free credit reports to set as a baseline. Details at Defend: Identity Theft page.

Sharpen and Test Your Skills

There are several excellent tutorials to help you spot phishing attempts and learn how to avoid them, and quizzes to test your awareness of various phishing tactics. You may wish to check out one or more of the following listed here.

Tips, Tutorials & Videos

How to Spot Phishing Scams (video from Howcast)
Tips to avoid phishing scam
(source: "LooksTooGoodToBeTrue.com")
Online Tutorial  (source: AT&T)
How to recognize phishing email messages, links or phone calls (source: Microsoft)
10 Tips to Combat Phishing (source: Panda Software)
OnGuardOnline.gov Phishing page (for more examples of phishing messages)

Quizzes

Phishing Scams: Avoid the Bait (source: OnguardOnline.gov)
SonicWALL Phishing IQ (source: Dell)

CIS Notifications

Visit the Alerts page
See the archive of ISG's Phishing & Malware Alerts