A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Phishing

Phishing attacks trick you into giving away confidential personal information.

"Phishing" or "Web spoofing" attacks use fraudulent Web sites to trick you into giving away confidential personal information such as credit card numbers, account usernames and passwords, and social security numbers. This is called "phishing" because attackers are "fishing" for your personal information and trying to lure you into providing it.

A phishing attempt usually starts with an email urging you to click on a Web link in order to check something about your bank account or another on-line account. These emails often appear to be from popular online institutions such as eBay, AOL, PayPal, or MSN. When you click on the link you go to a page where you are asked for information. The page appears genuine, but is in fact counterfeit. Phishers may then use the personal information you give on the page to steal your identity or your money.

Protective Measures

Practices

  • Use common sense when giving out personal information: Be careful when giving out personal information in Web forms. Your bank is not going to lose your credit card or account information and ask you by email to enter it online. Don't respond to such requests. Follow them up with a phone call to the institution if you want to make sure.

  • For sites requiring personal information, type in the Web link yourself: Instead of clicking on a Web link in an email, type the known address of the Web site in the browser's Address line yourself. This ensures that you won't be sent to a fraudulent Web site.

  • Check your bank and credit card statements for purchases that you did not make: Regularly check your bank, credit and debit card statements to make sure that all transactions are legitimate. It is important to know what you did and did not buy so that you are better prepared to answer questions if somebody steals and uses your financial information.

  • Check emails for fake Web links: If you receive an email that asks for personal or financial information, check the source code for misleading links.
    1. Each email client has a different method for checking the source of an email. See this page for instructions on viewing the source in Eudora, Mozilla, Outlook, Outlook Express, and Mail.app.
    2. Once you have viewed the source, scroll through the email until you find the link you want to check.
    3. If the link has something similar to "http://scgi.ebay.com@64.68.92.168:3879", where "http://scgi.ebay.com" is the address of the legitimate site, then the Web site is a fake. The remainder of the link ("@64.68.92.168:3879") maps the "http://scgi.ebay.com" Web link onto the IP address ("64.68.92.168") and port number ("3879") specified.

  • Report fraudulent Web sites to the Federal Trade Commission: If you determine or suspect that you were directed to a fraudulent Web site, send the email that directed you there to uce@ftc.gov. If you believe you've been scammed, file a complaint with the Federal Trade Commission .

Settings

Because phishing attempts lead you to a Web site, Web browser settings that fight phishing can be helpful. See Web Browsing – Phishing for Web browser settings.

  • Protect your "hosts" file from being written to: If a phisher can write to a file on your hard drive called "hosts", he can use it to link you to fraudulent Web sites. To protect your hosts file:

    1. Go to the "windows\system32\drivers\etc" or "winnt\system32\drivers\etc" directory to find the file.
    2. Right-click on the file, and choose Properties.
    3. Check the Read-only box at the bottom of the General tab window.

Tools

Anti-phishing: None of these tools is a foolproof way to avoid phishing, but they can help. If you decide to use them, don't be lulled into a false sense of security. Continue to use common-sense and caution in giving out personal information online.

  • Automatic notification of known spoofed Web sites: There is software available that can notify you when you are being directed to a Web site known to be fraudulent. These products continually update a list of known fraudulent Web sites and allow your browser to access this list. Of course, many phishers constantly change the sites they use to get around this software and to escape detection. One product of this kind is Microsoft's Phishing Filter .

  • Automatic notification of possible spoofed Web sites: Some software tries to detect phishing by looking for characteristics of previously detected attacks and guessing whether a given site is likely to be fraudulent. One free product that does this is Spoofguard .

  • Automatic display of domain name: Other software fights phishing by displaying information such as the real (as opposed to the spoofed) domain name of any Web site you visit. One free product of this kind is SpoofStick .

Because phishing attempts lead you to a Web site, Web browser tools that fight phishing can be helpful. See Web Browsing – Phishing for Web browser tools.

Connect Safely from Different Places

Office

Contact your company's system administrator to get information on the most recent phishing attacks to be aware of.

Ethical Issues

Since the practice of phishing involves deception, fraud, and dishonesty, it is clearly unethical. If an email promises something that seems too good to be true, it is. Such email messages should be deleted at once, and you should inform your systems administrator that you have received a fraudulent email message.

Legal Issues

Fake Web sites, also known as phishing Web servers, are illegal in the US. In response to the growing threat, the Federal Bureau of Investigation has partnered with the National White Collar Crime Center to create the Internet Crime Complaint Center . If you have been a victim of a phishing scam, save anything related to your complaint (emails, credit card bills, bank statements, etc.), and report the incident on their Web site. They refer all complaints to the proper law enforcement agencies, who may then choose to investigate the case.

The FBI does not guarantee that all complaints will be investigated, so also file a police report, and report the incident to the Federal Trade Commission  and the Anti-Phishing Working Group.

Privacy Issues

If you have provided personal information, such as a username or password, to a fraudulent Web site, call the organization to change your username and password immediately so that others cannot use your personal information. Check your credit report, credit cards, and bank statements to report any unusual activity.

Related case studies

Links

References

Filing a complaint

My home page