Something Phishy
By: Chad Barr, CISSP
Don’t Take the Bait From Internet E-Mail Scams
It is not uncommon to learn from TV news shows or your favorite news Web site about another Internet e-mail scam. These e-mails appear to come from someone you do business with, and they usually ask you to verify personal information or bank account details. The e-mails might even state that if you don’t click on a link, your accounts will be closed or suspended. This gets most people’s attention. If you receive an e-mail that requests verification of personal information or password changes by clicking on a link, don’t do it! Such requests are probably phishing scams.
The Origin of Phishing
Webopedia describes phishing (pronounced fishing) as “The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.
Phishing is also referred to as “brand spoofing” or “carding.” The idea is that bait is thrown out with the hopes that some will be tempted to “bite.” The term “phishing” was coined in 1996 by hackers who were stealing AOL Internet accounts by scamming passwords from unsuspecting AOL users. Since hackers have a tendency to replace “f” with “ph” the term phishing was born.
How to Spot a Phishing Scam
At first glance, the email might seem to be legitimate correspondence from a company with which you do business. It might say it’s from the company’s Web site and have the correct Web address. The links might appear to take you to the company website, but in fact, they are taking you to a “spoofed” site that looks like the company’s site. This is not hard to achieve even with limited knowledge of Websites because there are free programs on the web that can copy a company’s site.
If you are worried that your account could be closed or that you need to change your personal information, type the Web address of the institution into the browser and log on to the Web site. This ensures that you are visiting the correct site.
Just remember: Looks can be deceiving with phishing scams, the email never comes from the real company.
The email will usually contain logos or images that have been taken from the website of the company in question.
The email will always have a link because the scammer doesn’t want you to type in the address yourself. It could say, “Click here to update your account info” or “Log in” or can even look like the link to the real Web site such as “www.cititbank.com/secure”. In reality, the phishers have changed the link so it takes you to a page where your personal information can be stolen. Most companies will never ask you to click on a link to update your information, they will ask you to visit the Web site and log in if you need to make changes.
Be aware that sometimes the phishing scam logo doesn’t exactly match a real company’s logo. Other signs of a phishing scam include spelling errors, percentage signs followed by numbers or @ signs with the hyperlink, random names or e-mail addresses in the body or the text, or even e-mail headers that have nothing to do with the company.
Who is behind this and Why
A new breed of scam artists has arrived. Phishing is a profitable business; you might have heard that even terrorists are getting into the act. Phishers send out millions of these scam e-mails in the hopes that even a few recipients will provide personal and financial information.
Who is a risk of this kind of attack? Anyone with an e-mail address. This is why you should be careful about using your e-mail address on public sites on the internet (forums, newsgroups or your own Web site). Programs called “spiders” search the Internet, “grab” e-mail addresses and save them to a file for scammers to use.
If you must post to a public forum or newsgroup, create an e-mail address for that purpose. Do not give this address to friends, family or business associates. Consider all e-mail that is sent to this address as “high risk.”
‘Spear Phishing’
As more information becomes available about phishing, scam artist have to change their “net.” The newest type of phishing focuses on a single user or department within a company. This new scam is called “spear phishing.” This type of phishing might appear to be e-mail from someone within your company whom you trust, or from a department such as human resources or technical support. They usually ask for login IDs and passwords. There is no reason someone would need your login ID and/or password.
What to do next
Now that you know how to spot a phishing scam, what can you do if you think you are a victim? First, notify the real company that appears in the e-mail. Many companies want to know that someone is using their image to try and scam information from other people. You can also report phishing to the Federal Trade Commission (FTC), and the Anti-Phishing Working Group which builds database and trend reports of common scams to help inform people of the risk. They also send monthly newsletters to members with new information.
Discover more from Chad M. Barr
Subscribe to get the latest posts sent to your email.