"Phishing" or "Web spoofing" attacks use fraudulent Web sites to trick you into giving away confidential personal information such as credit card numbers, account usernames and passwords, and social security numbers. This is called "phishing" because attackers are "fishing" for your personal information and trying to lure you into providing it.
A phishing attempt usually starts with an email urging you to click on a Web link in order to check something about your bank account or another on-line account. These emails often appear to be from popular online institutions such as eBay, AOL, PayPal, or MSN. When you click on the link you go to a page where you are asked for information. The page appears genuine, but is in fact counterfeit. Phishers may then use the personal information you give on the page to steal your identity or your money.
Protective Measures
Practices
-
Pay attention to where you are navigating to: One of the most effective ways to protect yourself against phishing is to pay attention to the URL address on your browser. Attackers may alter the address to something similar to a real online store, but there will be a difference. For example, instead of "http://www.amazon.com," you might be directed to "http://www.amason.com."
Another way web spoofing is done is by modifying the address of a Web site and prefixing all regular addresses with the address of the attacker’s computer. For example, if the attacker’s computer address is "http://www.my_web_spoofing.com," and you want to go to the Yahoo web site (http://www.yahoo.com), you will see the following address in your browser: "http://www.my_web_spoofing.com/http://www.yahoo.com." Therefore, it is a good idea to always check the address of the page you are on when you are purchasing something online.
One important thing to note is that secure communication does not protect you against Web spoofing. That is, it is not enough if you simply see the "https" preceding the address. You have to look at the complete address to be able to identify the pattern. Whenever you see more than one “http://” or "https://" in an address, you are navigating in an attacker’s fake network.
-
Change your passwords frequently: It is a good idea to frequently change your passwords for accounts in online stores and other services that you frequently use. Try to change the password at least once every two months. Make sure the new password is not similar to the previous one. A strong password is at least eight characters long and contains a combination of upper/lower case letters, numbers, and special characters. You should not use the same password on several Web sites.
-
Use common sense when giving out personal information: Be careful when giving out personal information in Web forms and reentering credit card payments. It is very rare for online stores to lose payments. Almost all serious Web sites process payments in real time, completing the payment immediately. Don’t respond to requests to reenter your payment information. Follow them up with a phone call to the store if you want to make sure.
-
For sites requiring personal information, type in the Web link yourself: Instead of clicking on a Web link in an email, type the known address of the Web site in the browser's Address line yourself. This ensures that you won't be sent to a fraudulent Web site.
-
Check your bank and credit card statements for purchases that you did not make: Regularly check your bank, credit and debit card statements to make sure that all transactions are legitimate. It is important to know what you did and did not buy so that you are better prepared to answer questions if somebody steals and uses your financial information.
-
Report fraudulent Web sites to the Federal Trade Commission: If you determine or suspect that you were directed to a fraudulent Web site, send the email that directed you there to uce@ftc.gov. If you believe you've been scammed, file a complaint with the Federal Trade Commission
.
Settings
-
Browser settings: Most browsers come with default browser settings which may or may not be enough for complete security. You can change these settings to make your browser more secure. The picture below displays the security settings of the Internet Explorer browser. You can reach these settings in Internet Explorer by choosing Tools > Internet Options > Advanced.
If you decide to modify the default settings, make sure you check the following:
- The “Check for publisher certificate revocation” option lets you make sure that the site’s security certificates are still valid.
- The “Warn about invalid site certificates” option gives you a warning message when a site provides a false or expired security certificate.
- The “Warn if the forms submittal is being redirected” option ensures that the Web site you are providing information to is the one you intend.
Tools
-
Anti-phishing: None of these tools is a foolproof way to avoid phishing, but they can help. If you decide to use them, don't be lulled into a false sense of security. Continue to use common-sense and caution in giving out personal information online.
-
Automatic notification of known spoofed Web sites: There is software available that can notify you when you are being directed to a Web site known to be fraudulent. These products continually update a list of known fraudulent Web sites and allow your browser to access this list. Of course, many phishers constantly change the sites they use to get around this software and to escape detection. One product of this kind is Microsoft's Phishing Filter
. -
Automatic notification of possible spoofed Web sites: Some software tries to detect phishing by looking for characteristics of previously detected attacks and guessing whether a given site is likely to be fraudulent. One free product that does this is Spoofguard
. -
Automatic display of domain name: Other software fights phishing by displaying information such as the real (as opposed to the spoofed) domain name of any Web site you visit. One free product of this kind is SpoofStick
.
-
Connect Safely from Different Places
Office
Check with your company’s system administrator to see if your company has mechanisms in place to protect against popular phishing scams. Notify your system administrator of any suspicious Web sites and emails. Your company’s system administrator is always looking for ways to protect your organization. He or she will report illegal Web sites and take measures to protect you and your coworkers.
Mobile
Historically, phishing attacks occurred on cell phones in the form of calls asking you for your social security number or credit card number. Although phishing attacks against cell phones are still extremely rare, you could receive a phishing email on your PDA. These emails are the same ones you might get at home or at work.
Legal Issues
Fake Web sites, also known as phishing Web servers, are illegal in the US. In response to the growing threat, the Federal Bureau of Investigation has partnered with the National White Collar Crime Center to create the Internet Crime Complaint Center . If you have been a victim of a phishing scam, save anything related to your complaint (emails, credit card bills, bank statements, etc.), and report the incident on their Web site. They refer all complaints to the proper law enforcement agencies, who may then choose to investigate the case.
The FBI does not guarantee that all complaints will be investigated, so also file a police report, and report the incident to the Federal Trade Commission and the Anti-Phishing Working Group.
Privacy Issues
Phishing Web sites may include fake privacy policies, or they may fake the icons of seal programs such as TRUSTe. If you are unsure if you are at a real or a fake site, you may want to call the organization for help or more information. If no contact information is available in any format (Web form, email address, phone number) you may not want to use that Web site.
If you have provided personal information, such as a username or password, to a fraudulent Web site, call the organization to change your username and password immediately so that others cannot use your personal information. Check your credit report, credit cards and bank statements to report any unusual activity.
Print view
Email to a friend
Submit to Reddit
Save to del.icio.us
Submit to Digg.com
Stumble It!