Detox-Comic

Phishing

What is Phishing?

Phishing is a term used to describe the process of fraudulently obtaining a persons personal and financial information for the purpose of identity theft or money.

Phishing: Fishing for personal information. The bait is usually a worrying email aimed at making you click on a link.

How does it work?

You receive an email which pretends to be from your bank or any on-line site that holds information about you. The email is designed to look official and will contain a link to a (fake) web site.

When you click on this link, you are taken to the fake web site which is designed to look like the real thing. If you enter your details they are captured and stored for the use of identity theft or to steal money from you.

The fake web site is the main method employed to acquire your details (bank account login and password, date of birth, age, address, etc). Other methods range from simply replying to an email with the information that was requested, to the installation of programs which fake what you see in your browsers location window so that you actually think that you are at the correct web site.

How can you protect yourself?

Never reply to your online bank or financial service with any personal or account information and never click on any links in an email. Email is not a secure method for sending such information.

Learn the correct URL and type it in to your browsers location window rather than using a bookmark or HTML link.

Do not cut and paste the web address in the email into a browser.

Confirm that your browsers location bar shows the correct address with 'https://' at the start, not 'http://' when entering secure information like a login and password. The 's' means secure.

Check that the padlock icon is shown at the bottom of your browser window. Double click on it and check that the certificate is valid.

Do not fill out any forms in an email.

These emails are worded to get you to respond as fast as possible. First check with your bank directly to validate the content of the email. Do not supply anyone with your information via an email or by clicking on the link in the email. Instead, if something genuinely needs your attention, log in as normal directly by typing in the address (check the correct spelling of the URL as phishers register URLs with addresses almost like your bank's but with a typo). Then take the needed action yourself.

Log into your online accounts weekly rather than monthly to check that no unusual transactions have been taking place. Do not leave it too long between checks.

Keep your browser up to date and install the latest security updates for it.

Install a spam filter or anti-phishing software.

Keep your anti-virus software up to date and use one that spots malicious web programs.

Keep your firewall up to date.

Summary

Phishers count on people clicking on the link in their spoofed emails rather than typing the actual address in the browsers themselves to check if there is a problem or calling their bank directly. Never follow a link in an email that will supposedly take you to your bank's address. Type it in yourself!

Further Reading: Anti-Phishing Working Group

If you have any feedback regarding this article, or you have a suggestion for a new article, or just want to say thanks for the info then feel free to drop me an email at dave@detoxcomic.com.

Article date: 18-Dec-2004