What is Phishing?
Phishing is the act of masquerading as an online entity (a business, bank, or other legitimate institution) in order to obtain credit card numbers, usernames, passwords, and other sensitive data. This is usually done through email.
To make these phishing e-mail messages look even more legitimate, the scam artists may place a link in them that appears to go to the legitimate Web site, but it actually takes you to a phony scam site or possibly a pop-up window that looks exactly like the official site. These copycat sites are also called "spoofed" Web sites. Once you're at one of these spoofed sites, you might unwittingly send personal information to the con artists.
Often these phishing attacks prey on the idea that there was a problem in the user's account and that an immediate login is required to fix it. This rushes the user to act without thinking and spotting the problems with the email. The user rushed in head first to the bait cast by the phisher.
The term phishing is a variant on the word fishing; identity thieves dangle something like a fraudulent email and wait for the gullible to take the "bait" and provide things like credit card numbers and important passwords. The ph beginning was picked up from a telephone systems hacking practice referred to as phreaking.
Concerns for Parents
- Most phishing attempts are not directed at children. Most youngsters don't have credit cards, don't have large bank accounts, and don't even know what a Social Security number is. Since phishers are out to make money, they are going to go for adults and older teens.
- If you fall for a phishing email and give a fraudulent source sensitive information, your identity will be stolen and could be used to make large purchases, open false bank accounts, launder money or commit other crimes. Credit scores and financial reputation can be seriously scarred by identity theft. In addition to costing you hundreds or thousands of dollars, identity theft issues may take weeks or months to sort out.
How Can I Stay Safe?
- Be sure your email account has a good spam filter. The easiest way to avoid phishing emails is to never even see them. Set email preferences to filter out unwanted email so that you don't have to determine which emails are legitimate and which are not on a case-by-case basis.
- Don't give any personal information out in response to an email. Businesses should never ask you to send Social Security numbers, passwords, usernames, or other private information through e-mail.
- Read emails and websites slowly. Phishers count on the panicked or relaxed nature of their targets to overlook the problems listed.
- Don't click on links in suspected emails; these are usually fraudulent. Instead, go to the company's home page yourself by typing the true address into the address bar.
- Don't click on images in suspected emails. They could have hidden scripts which try to access your bank account.
- Carefully check emails that come during odd hours such as one o'clock in the morning.
- Be able to recognize phony emails.
- Look for your name. Odds are, you are addressed as "Dear Valued Customer," or something similar. Phishing emails are sent to thousands of recipients at a time, so a generic greeting is a clue that an email is bogus.
- Look at the sender's email address. Is your email from "Wells Fargo" sent from [email protected]? A fake-sounding email address is a red flag that your email is from a fraudulent source.
- Look at the spelling and grammar in the email's text. Many phishers are from countries outside of the U.S., and their English may be broken, awkwardly worded, or riddled with misspellings.
- Look for phony links. These are usually "masked," meaning the text in the link doesn't match the actual link. The actual link is displayed in the bottom-left of the browser when you hover over the link.
- Watch out for suspicious links on Web pages, too—not just on emails. These are not as common as the email variety but they are out there. Pay attention to the URL in your address bar before you type in your log-in password or other important information. If the address isn't the usual one, you may be looking at a fake Web page designed to collect everything you type for criminal purposes. For example, if the Facebook log-in page doesn't have the plain old "https://www.facebook.com/" in the address bar, you're probably on a fake site. Most legitimate sites have slightly crazy-looking addresses at some point, but keep an eye out for obvious differences.
Spear Phishing denotes the idea that the scam artist has a specific target in mind when attacking people. This is usually done after the scam artist has successfully phished someone's bank account, twitter, facebook, or email. The scam artist searches the newly accessed account for friends and acquaintances as victims of the next phishing attack.
For a successful spear phishing attack, the scam artist needs to do three things:
- The source of the email or request came from a known and trusted source
- Inside the email or request, there is personal information about the individual receiving the message, thus strengthening the idea that it came from a trusted source
- The request seems to have a logical reason for being sent.
These attacks are harder to spot as many of the tells of a phishing attempt no longer appear. The sender is someone you know, the email address is correct and therefore won't go into the spam box, and they don't have to type a lot to send a link ("Hey check this out" is all they need). According to the FBI some things that keep people safe in these situation are to manually type any URL directly into the address bar instead of clicking the link. Anohter way to prevent this is to remember that most companies will not request personal information through an email.
Whaling is spear phishing where the targets are CEO's and other important individuals of companies. Their email and contact information is easily found online so attacks are common. The real danger comes when a company head falls for the scam and therefore gives the scam artist many important documents about the company and the many employees. A successful whaling attack can expose hundreds of employee's bank account information, social security numbers, and much more.d
Where Can I Learn More?
- Video on how Phishing works and how to prevent it!
- HowStuffWorks.com tells you how the whole racket operates.
- This site gives an example of a widely-distributed phishing email that claimed to be from eBay. It highlights all the indicators that it is a bogus message and gives additional tips for recognizing phishing.
- Read Microsoft's guidelines for recognizing phishing emails.
- Watch this YouTube video to see how phishing works
- Report all suspected phising attacks to your email provider. This makes their filter stronger.
- Report any suspicious looking website URLs to PhishTank - a community driven site which will verify if a URL is a phishing scam or a real website.
- If you have fallen victim to phishing, here's what you can do.