Ask The Pro: What is “phishing”?
Thursday, July 1st, 2004This month’s pro discusses “phishing,” a common email scam.”Phishing,” pronounced “fishing,” is the newest buzzword being used to describe a scam that is nearly as old as email itself. The con is simple but insidious - claim to be a legitimate authority in order to get someone to divulge privileged information that can then be used for identity theft. The simplicity of this attack is what makes it so effective. Phishers take advantage of a number of simple tricks that allow them access to your most sensitive information.
One of the most common tricks that phishers use is to take advantage of HTML email to trick their targets into visiting a web page designed to install spyware (see the July 2003 PromoSupport for more information on spyware) onto their target‘s system. The phisher carefully designs an image that looks like an official mailing from a business the target has a relationship with. This image is then embedded into an email and set up to be a link to the malicious website.
The user, not knowing that the whole email is an image link, clicks on it. The malicious website uses the resulting connection to install spyware on the target’s computer while the target, wondering why their web browser just opened to a blank page, probably irritably closes the browser window and continues with their business day. This trick was recently used by phishers seeking access to accounts on the popular payment service PayPal, making funds in PayPal accounts vulnerable to theft.
Another common trick is to send an official-looking email asking a target to visit a web page to update their “account information” or “contact information,” usually suggesting that there will be problems with their account if they do not do so. These messages are usually disguised as email from a bank or credit card company. The web page is set up to look like a legitimate business website, and the unsuspecting user will input their account information in order to avoid unwanted problems with their account. Even people without accounts with the imitated company can be vulnerable if they visit the site to figure out why they received the email.
With the prevalence of sophisticated tricks like this, how do you protect yourself? Here are some simple techniques that can help you reduce your vulnerability to these scams:
- Use an email filtering service like Postini. These services have their fingers on the pulse of the internet email world. They are often aware of these scams within moments of the first emails being sent out. This allows them to filter these mail and hold them in quarantine for you to review.
- If you receive an email from a company you do not do business with, do not follow any links within the email. If you are really concerned about the content of the email, consider calling the company or perhaps visiting their website directly instead of via the link in the email.
- Check the “From:” portion of the email carefully. Official company emails should be from the company domain name, not from a free email provider such as yahoo.com or hotmail.com.
- See if an option exists in your email client to disable loading of images in HTML mail. Many email clients have this option, and usually the important content of non-scam emails is in the text instead of the graphics.
- Watch out for web addresses that start with numbers or contain a different root domain. Make sure you are visiting www.citibank.com to do business with Citibank, not an address on another server like http://128.101.101.101 or http://citibank.fakedomain.com.
- Most importantly, remember that most companies will not use email to request your account information. If you are concerned about an email you receive, try calling the company it claims to be from and asking about their policy regarding email and account information.
Keep these tips in mind and use caution with email. Remember that not everything in your Inbox is legitimate, even things that look it!
For more information, check out the following resources:
Federal Trade Commission Consumer Alert: “How Not to Get Hooked by a ‘Phishing’ Scam”
www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
The Anti-Phishing Working Group
www.antiphishing.org
SpamIsBad.Com
www.SpamIsBad.com