What is phishing and how do you protect yourself from it?

What is phishing and how do you protect yourself from it?

According to Antiphishing.org:

Phishing is a form of online identity theft that uses spoofed e-mails designed to lure recipients to fraudulent Websites which attempt to trick them into giving out personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known banks, online retailers and credit card companies, data suggests that phishers are able to convince recipients to respond to them. As a result of these scams, an increasing number of consumers are suffering credit card fraud, identity theft, and financial loss.

The majority of Internet surfers use Internet Explorer (or IE) as the main browser on their personal computers. This is fine, except for the fact that IE is well-known for all its security and design flaws. Sure, everything looks good on the surface, but the industry standard browser has many holes to cover up. One such flaw in the Internet Explorer allows scam artists to insert malicious codes into your e-mails to steal the identity of major brands and disguise as them, sending out SPAM that appear to be legitimate, official correspondence.

These phishing scams generally follow a certain pattern. Almost all use "scare tactics" with the intention of making you panic and take action instinctively to protect yourself. They send e-mails that seem to be from a known, legitimate business (Chase Bank or PayPal, for instance) to warn you about your account status, security breach, or general misuse of your account by somebody else, asking you to take action by clicking on the link contained in the e-mail to prevent it from happening. These scam artists got so sophisticated that they even use the brand's logo, official e-mail addresses, Website images and type fonts in their e-mails. Then they ask you to click on the link contained in the e-mail, which seems to be on the same domain as the sender of the e-mail. Everything, up to this point, will seem perfectly natural. What happens after is a different story.

When you click on the link contained in the e-mails, an automated script takes you to a different domain that may look exactly like the Website you're expecting to see. They use scripts that cause the legitimate Website address to appear in the address bar, but the actual site being displayed is that of the fraudster. What these scam artists do is that they completely replicate the major brand's Website. They don't need to duplicate everything, just a single login page. When you enter your login id, password, credit card info or any other vital information and submit it, the information is automatically added to a remote database, and you're then redirected to the brand's actual Website. Most users, thinking they were redirected because they entered the information wrongly, would not suspect anything. By this time, however, it may already be too late.

As if that was not scary enough, sometimes these phishing e-mails automatically install a software called a key logger when you open e-mail attachments or click on the links. This is extremely vicious software that can record every "key" you type on the keyboard and "log" the information, sending it to a remote server. Even if you enter your password into encrypted login pages, the software can track what alphabets and numbers you used for your login or password. Now that's a frightening thought!

Besides emptying your bank and credit cards, some phishers also hijack your browser and ISP service. You might not even notice it when your Internet connection gets disconnected for mere seconds before being reconnected, but this time your connection may be shared by a shadowy figure from halfway across the world. Nothing may seem amiss until you receive your phone bills. In one case I personally heard of, an acquaintance of mine got his browser hijacked and connected to a foreign ISP, in some part of the world I cannot remember. What happened is that instead of paying local charges, he paid full international calling rates to be connected to the foreign ISP, which remains till this date, untraceable. Although he later realized it happened when he tried to gain "free" access to an adult entertainment site, the same scenario could happen with almost any other Website with a criminal mind behind it.

Have you ever gotten an e-mail with either of these subjects?-

• eBay Verify Accounts
• Critical : Paypal Security Warning

Didn't those e-mails look real? Yet, Paypal officials say on their Website that they will never ask for the following personal information in e-mails:

• Credit and debit card numbers
• Bank account numbers
• Driver's License numbers
• E-mail addresses
• Passwords
• Your full name

But you wouldn't know this, would you, until you've read their Security Center guidelines. The phishing scams are generally targeted at new users who don't know all this information, or don't think they need to know it to protect themselves. The seasoned user, however, would spot a phishing e-mail a mile away. I recommend that Paypal users, old and new, read all the information in the Security Center here.

The highest reported number of incidents of phishing so far was in March 2005, to a total of 13,353 incidents reported to the APWG (Anti-Phishing Work Group). Considering that only 1% of people actually bother to make a report, the actual number of phishing e-mails circulating the Internet everyday is astounding. So much so, that you could say phishing has become perhaps the #1 scam on the Internet. The United States continues to be the top geographic location for hosting phishing sites, with more than 34%.China remains second with 12%, followed by Korea at 9%.

How to protect yourself from phishing scams.

Here are a few simple precautions that you can take to avoid being a victim to a phishing scam:

1) Never update any personal or financial records by clicking on e-mail links. If you get an e-mail asking you to do so, ignore it. Phishers often use links within e-mails to direct their victims to a spoofed site, usually to a similar address such as "secure-mybank.com" instead of "mybank.com."

2) If you really feel the need to verify the claims, warnings or statements made in the e-mails, open up your browser, type in the Website's main URL manually, and log into your account.

3) Look for secure Websites that start with "https" instead of "http." All secure Websites start with "https" ("s" for security) and if it does not, there are no guarantees on the safety of your information.

4) Look for a lock icon on the browser's status bar. This small and often unnoticed icon lets you check the level of encryption, expressed in bits, by hovering over the icon with your cursor. Note that the fact that the Website is using encryption doesn't necessarily mean that the Website is legitimate. It only tells you that data is being sent in encrypted form.

5) Report the message to the company that the message claims to be from. By doing that you will be alerting the company of the abuse of their brand, so that they can report it to the proper authorities and help keep other people from being ripped off.

6) Educate yourself. Banks or e-commerce companies generally personalize e-mails, while phishers do not. Learn to recognize a legitimate e-mail from a spoofed one. This may be hard to do sometimes, with the scammers continuously "upgrading" themselves, but it's absolutely necessary that you at least keep up with them. Let common sense guide you. If anything seems too good to be true, then it probably is.

7) Always check your critical accounts for any irregular incidents or payments. Check all your statements, and if you see any unauthorized transactions, get to the bottom of it immediately.

8) Never reply to spam e-mails, as this will give the sender confirmation they have reached a live address. The last thing you want to do is to provide encouragement to the scammer that his plans are working!

9) Always keep your computer secure by installing anti-virus software and keeping it up to date. By doing so, you will ensure protection against malicious software and be alerted of any intrusions by worms, Trojans, or similar dangers.

10) If you're on broadband, get a firewall. You'll need a firewall since your internet connection is on 24/7 and you're not always there to spot intrusions and illegal use of your bandwidth.

11) Update the security patches for your Internet Explorer browser, or better still, download Mozilla's browser called Firefox (http://www.firefox.com) which is reputed to be more secure than its Microsoft counterpart.

12) Arm yourself with browser enabled plug-ins and tools such as NetCraft (http://toolbar.netcraft.com/) and a lot more by doing a simple Google search for "anti-phishing software."

So that's it folks, the run-down on the Internet's most cruel scam, phishing. PC World reported that research firm Gartner found phishing scams are costing consumers $2 billion a year. In March 2005, Microsoft filed 117 phishing lawsuits in the Western District of Washington with unnamed defendants.

While the Federal Trade Commission (FTC) and others have concentrated on public education, the Anti-Phishing Act of 2005 was proposed by U.S. Senator Patrick Leahey (D- Vermont). This would make the creation and use of e-mail addresses and Websites that are intended to spoof legitimate businesses for purpose of procuring personal information punishable by fines and jail time. Scams such as phishing can be reported, tracked down, and shut down. However, catching phishers can prove to be difficult, especially when it is done from third world countries with no laws on Internet security. Besides that, fraud sites usually operate for very short periods of time. Therefore it's up to every individual to educate themselves and ensure their own safely when it comes to online financial transactions and activity. Prevention is, as they say, always better than cure.

Resources

Anti-Phishing Working Group - Phishing Activity Trends Report (2005)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Gobala Krishnan is a freelance researcher and writer for the IAHBE. He can be contacted at http://www.GobalaKrishnan.com or http://www.MyBusinessVoIP.com.