What is ‘Phishing’ and How Can You Prevent it?
Consumers and businesses in the UK lost an estimated £27bn in 2012 through cybercrime. More than £600m of this was through phishing attacks, making it the most ‘phished’ country in the world.
The Guardian, Feb 2013
The spread of identity theft through ‘phishing’ has been alarming in recent years, though the term has been around since the mid-1990s.
It’s important to understand what phishing is, the various guises that scammers use to try to get your details and how you can best protect yourself against it.
What is ‘Phishing’?
‘Phishing’ is the term used to describe the various methods by which online (or on-the-phone, in some cases) fraudsters use to get your personal details and steal your usernames and passwords.
This is often done by masquerading as a legitimate authority, fooling people into offering their personal information, which is usually then used to gain access to a bank account, credit card etc.
Different Types of ‘Phishing’
The most common form of phishing is an email pretending to be from a legitimate retailer, bank or government agency.
The sender asks you to “confirm” your personal information for some invented reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem. Often they request urgent action.
You may be asked to click a link which looks like a trusted website, but will in fact be a variation of the organisation’s real URL. Misspelled URLs or the use of subdomains are common tricks used.
For example, to the unsuspecting eye, a link such as http://www.mybank.real.com would appear to take you to the real section of the mybank website; it would actually take you to the “mybank” section of the real website, where information could be gathered from you.
The fraudsters use this strategy to lure people to phony websites that look just like the real sites of the company, organisation or agency they’re impersonating. If you follow the instructions and enter your personal information on the site, it will be delivered directly into the hands of identity thieves.
Sometimes phishers direct you to a real organisation’s website, but then use an unauthorised pop-up screen created by the scammer to request your information. If you fill it in, your information will go to the phisher.
So that you understand just how many ways the fraudsters use, here’s a summary of the various types of phishing:
- Link Manipulation and Deception – the most common type, as described above
- Pop Up Phishing – as described above
- Website Forgery – universally available phishing kits allow fraudsters to create very convincing copies of sites by clever use of scripting
- “Tabnabbing” – this takes advantage of the multiple tabs that people use when browsing, silently setting up a tab that redirects you to a malicious site
- “Evil Twins” – the scammer creates a fake wireless network to emulate other public networks that may be found in airports, hotels etc. All information entered on this type of network can fall into the wrong hands
- Clone Phishing – where a previous, legitimate email containing a link or attachment is copied; the link or attachment is replaced with a malicious version and a new email sent from a spoof address by the fraudsters
- Spear Phishing – this targets specific individuals and organisations
- Whaling – this targets high profile business targets
- Phone Phishing – Professionals posing as telesales people, government fraud agents or bank representatives can trick the unsuspecting into revealing their card and PIN details. They may even say they suspect you are a victim of identity theft and they want to verify your information! Alternatively an email may be sent saying you have a problem with your account and requesting you dial a number and enter your account numbers and PIN.
- ‘Pharming’. This is an “invasive” form of identity theft. A malicious program is secretly planted in your computer to hijack your web browser. When you type in the address of a legitimate website, you’re taken to a fake version of the site without realising it and any personal information you provide can be stolen and used fraudulently.
Examples of Phishing Emails
No tactic is off-limits to the professional phisher and their emails come in many guises and look ever-more genuine.
Below are a few common examples.
- The phisher claims to be from the National Lottery and provides contact information for claims – with the end game of obtaining people’s banking information. The email address is the big giveaway below – would a National Lottery agent be using a Yahoo address?
- The phisher presents a link that looks like a real link – for example Google Adwords or PayPal, where people enter bank account or credit card information. On closer inspection it’s clear that it’s a manipulated URL.
- You click on a link that takes you to a page that looks identical to your bank’s log in page. However, look at the URL in the address bar. It is a sub-domain of the main bank domain.
- The main URL is legitimate, but once you get there a pop-up screen from a spoof URL is displayed and you are asked to enter your personal information
How to Protect Yourself Against Phishing
Online fraud often preys upon lack of user knowledge. Learning about the dangers and types of phishing will help you to protect yourself against becoming a victim of it.
Here are some basic starting points:
- Never click on links within emails that ask for your personal information.
- Never trust emails with spelling mistakes and generally bad grammar. Legitimate, professional organisations don’t make those types of mistakes in their correspondence.
- Never enter your personal information in a pop-up screen. Legitimate organisations don’t ask for personal information via pop-up screens. Install pop-up blocking software.
- Only open email attachments if you’re expecting them and know what they contain. Even if the messages look like they come from people you know, they could be from scammers and contain programs that will steal your personal information.
- If you’re unsure about some anchor text or a particular link, try hovering your mouse over it. This normally reveals the actual URL you will be taken to – and it can reveal a phishing site. However this is not fool-proof as even this can be manipulated by an advanced scammer.
- Just because you see a site has a secure certificate does not necessarily make it phisher-free. A scammer can purchase a valid certificate and then change content to spoof a genuine website.
- If someone contacts you and says you’ve been a victim of fraud (which is, of course, possible) make sure that you verify the person’s identity before providing any personal information. Ask for their name, their agency or company, their telephone number, and their address. Then call the agency number from the phonebook and verify that the person works there.
- Remember that no bank representative will ever ask for your PIN, whatever the circumstances. They have other methods of identifying your ID like secret questions and the last several numbers of your account etc.
In addition to these specific measures against phishing there are some general internet security steps you should take:
- Ensure your computer is protected with the latest spam filters, anti-virus and anti-spyware software, and a firewall. This will reduce the number of phishing emails you get, scan incoming messages for troublesome files and help to flag any programs that track your online activities without your knowledge.
- Keep your software updated. Look for programs that offer automatic updates and take advantage of free patches that manufacturers offer to fix newly discovered problems. Go to www.onguardonline.gov and www.staysafeonline.org to learn more about how to keep your computer secure.
We can certainly protect ourselves against phishing with extra awareness, knowledge and vigilance, though the scammers are often a step ahead. For example, they have started to use more flash-based websites, which look like the legitimate site and hide the text in a multimedia format that avoid the text-reading phishing detectors.
The UK statistics shown at the top of this article are especially concerning, given the introduction of two or multi-factor-authentication whereby account holders have to provide a PIN, a card and often other information like a fingerprint to complete a transaction.
It seems as soon as the financial system steps up its game, the smarter the fraudsters become to stay a step ahead.
At the same time there are more tools arriving on the scene to help detect scammers and to lower the risk of fraud. Firepass is one of those tools.
What to Do if you are a Victim of Phishing
If you think you’ve fallen for a phishing scam, and you provided account numbers, PINS, or passwords to a third party you now suspect of scamming, you need to immediately notify the organisation with which you hold the account in question.
They will advise you what you need to do from there and may report your case to the National Fraud Intelligence Bureau (NFIB).