Don't Be A Phish: Protect Yourself From Phishing Attacks
One of the main parts of an effective identity theft protection system is to simply be aware of what information you are giving out and to whom you are giving it. This may seem obvious, but today’s technology makes it a little more difficult, especially as more and more consumers move to the internet to pay bills, apply for loans, manage accounts, etc. Identity theft thieves have taken the internet by storm. One of their favorite identity theft tactics is phishing. Phishers lurk the dark hallways of the internet trying to acquire your most sensitive information -- usernames, passwords, credit card numbers – by sending you emails posed as your friendly neighborhood financial institution. A Very Brief History of Phishing It has been said that phishing got its start on – shocking! – AOL. A phisher would comprise an elaborate email appearing to come from AOL itself and request that the recipient verify their password and/or billing information because something was supposedly wrong with their account. Once the phisher had the information, they would access the account and use it for nefarious purposes, typically to spam even more people with additional phishing emails. AOL went on the attack in 1997 to shutdown phishing activity. The Company was fairly successful, but to no avail. Phishers just moved on to bigger phish, so to speak. They began using the credit card information they received from phished AOL accounts to attack payment systems of large financial institutions. How Phishing Works – A Brief Primer There are two basic steps to a phishing scam: •A manipulated link •A phony (or “spoofed”) website Link Manipulation The victim receives an email from a financial institution claiming there’s a problem with their account and they need to log in to fix it. This email is sent out to thousands of email address at the same time. Only a few will actually have accounts with the financial institution being spoofed and only a few of those will act on the request. However, all it takes is one… The victim clicks on a link that leads them to a spoofed website. The link might be buried in an anchor link, such as: HTML Code: < a href="http://www.fakebank.com">Link to Real Bank How it would appear: Link to Real Bank (Of course, the above would be clickable in your email browser) The above, based on the text link, appears to be going to the real bank, but the actual link goes to the spoofed website. Another way to manipulate the link is to register a domain that visually appears similar to the domain of the real company: Real Company website: www.financialinstitution.com Spoofed website: www.financia1institution.com Did you catch it? The L in “financial” has been replaced with a
1. The casual observer, already concerned about their account, may not notice the difference. They click on the link and now they’re in a world of hurt because they just went to a… Spoofed Website The website they end up at has been developed to look exactly like the real one. The identity theft victim logins in with their username and password and simply gets some kind of error message, something like, “The Site is Down for Maintenance” or “Cannot Connect to Server. Please Try Again Later.” The website logs the account information, forwards it to the identity thief and he or she is off to Bermuda on your dime. Obviously, this scam can be much more elaborate than what is detail above, but that’s phishing in a nutshell. How to Protect Your Identity from Phishers Tip #1: The easiest way to protect yourself from this scam is to ignore them. Trust me, if there’s something wrong with your account, your bank or credit card company will contact you by phone. If you think that the email you received could be valid, do not use the links in the email to follow up. Open a new browser window and manually type in the website address. Better yet – CALL them from the phone number on your statement or the back of your credit card. Never use the phone number in the email. Tip #2: Be on the look out for identifiers in the email. Do they refer to you by name? Did they include a partial account number? Such information might indicate that the email is real. However, always err on the side of caution. Identity thieves may have found out your name or partial account number by some other means and are trying to catch you off guard. Don’t let it happen. Tip #3: Use your spam filter. A good spam filter should catch most phishing attempts. Should. Awareness = Protection As with all identity theft topics, keeping your eyes wide and your brain active is your best defense against phishing scams. Pay attention to what you’re reading and what links you’re clicking. Quickly scan your email before clicking on anything. If something catches your eye, give it a second glance. If it seems out of place, hit delete. It’s as simple as that.
Zone Labs Articles
Zone Labs Books