1.   Hook, Line and Sinke

 

Phishing refers to illegal attempts to acquire information such as usernames, passwords and credit card numbers or gain access to protected systems by masquerading as trustworthy entities in electronic communications.

Phishing is a social engineering tactic used to manipulate people to perform actions or divulge confidential or non-public information and is often the first step in a larger effort. A phishing attempt may appear to come from a trustworthy source who may attempt to acquire information including, but not limited to, usernames, passwords and credit card numbers. Clicking on links or downloading files from unknown sources may also infect your computer with malware.

 

2.   What’s in a Name  - Techniques

 

• Email / Spam

A phisher sends bulk email with a message. Users are influenced to click on a link.
An email stating that there is a problem with recipient’s account at financial institutions and requests the recipient to click on a website link to update his details. A statement may be sent to the recipient stating that his account is at risk and offering to enrol him to an anti-fraud program. In any of the case, the website collects the user’s confidential information. The phisher will subsequently impersonate the victim and transfer funds from his account, purchase merchandise, take a second mortgage on the victim’s house or cause any other damage. In most of these cases, the phisher does not directly cause any economic damage, but sells the illegally obtained information on a secondary market. 

 

• Web Based Delivery

 

Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.

 

• Instant Messaging

Instant messaging is the method in which the user receives a message with a link directing them to a fake phishing website which has the same look and feel as the legitimate website. If the user doesn’t look at the Uniform Resource Locator (URL), it may be hard to tell the difference between the fake and legitimate websites. Then, the user is asked to provide personal information on the page.

 

• Link Manipulation

 

Link manipulation is the technique in which the phisher sends a link to a website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. One of the anti-phishing techniques used to prevent link manipulation is to move the mouse over the link to view the actual address.

 

• Malware-based Phishing

 

Malware-based phishing involves running malicious software on the user’s machine. The malware can be introduced as an email attachment or as a downloadable file exploiting security vulnerabilities. This is a particular threat for people who fail to update their software applications. Be mindful of what you download onto your PC. Do not download anything from sources you do not trust.

 

• Key Loggers

Key loggers refer to the malware used to identify inputs from the keyboard or embed themselves into the user’s browsers as small utility programs. The information is sent to the scammers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide 2 factor authentication and options to use mouse click to make entries through the virtual keyboard.

 

• DNS-Based Phishing

Domain Name System (DNS)-based phishing or hosts file modification is called Pharming. The requests for URLs or name service return a bogus address and subsequent communications are directed to a fake site when the hackers tamper a company’s host files or domain name. As a result, users remain unaware about the fraud website controlled by hackers.

 

• Content-Injection Phishing

 

Content-injection phishing means inserting malicious content into a legitimate website. The malicious content can redirect to other websites or may install malware on a user’s computer and also insert a frame of content that will redirect data to the phishing server

 

• Search Engine Phishing

 

Phishers develop e-commerce websites with attractive offers. Later these sites are indexed legitimately with different search engines. When users search for products or services, these sites are shown by the search engine and are fooled into giving up their information. For example, scammers have set up false banking sites that offer lower credit costs or better interest rates than other banks. Victims are often encouraged to transfer account details. In this way, they are deceived into giving up their details.

 

• Phone Phishing

 

In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID.

 

 

 

3.     Phishing Links

 

 

Phishing links that you are urged to click in email messages, on websites, or even in instant messages, may contain all or part of a real company's name and are usually masked, meaning that the link you see does not take you to that address but somewhere different, usually an illegitimate website.

 

Notice in the following example that resting (but not clicking) your mouse pointer on the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's web address. This is a suspicious sign.

 

 

 

 

 

Masked link. The real link is revealed after resting the mouse over it

 

Phishers so use URLs  that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the URL "www.facebook.com" could appear instead as:

• www.facelook.com

• www.faceb0ok.com

• www.verify-facebook.com

 

 

 

 

 

 

 

 

 

 

This is a spoofed URL. A closer inspection will reveal it is fake

 

 

• Unsafe Communication

 

An unsafe URL points to an unsecured, unrecognizable site and the email requests the user to provide sensitive information in an urgent manner.

 

• Safe Communication

 

A safe URL points to a secure, authentic site and the email does not request the user to provide sensitive information of any kind.

You can recognize a site that is protected with an extended validation (EV) Secure sockets layer (SSL), a cryptographic protocol that provides communication security, by a URL that starts with https://, a green highlight in the address bar and a padlock in the address frame.

 

 

 

 

 

 

 

 

 

 

 

Secure links begin with “https://” and a padlock sign

 

 

4.    You have won the Lottery: Email Phishing Scams

 

What does a phishing email message look like? Phishing email messages take a number of forms:

• They might appear to come from your bank or financial institution, a company you regularly do business with, such as Microsoft, Google, Apple of Facebook.

• They might appear to be from someone you in your email address book.

• They might ask you to make a phone call. Phone phishing scams direct you to call a phone number where a person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data.

• They might include official-looking logos and other identifying information taken directly from legitimate websites, and they might include convincing details about your personal history that scammers found on your social networking pages.

• They might include links to spoofed websites where you are asked to enter personal information.

 

 

How to tell if an e-mail message is fraudulent

 

Here are a few phrases to look for if you think an e-mail message is a phishing scam.

 

• "Verify your account." Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail from anyone asking you to update your credit card information, do not respond: this is a phishing scam.

 

• "If you don't respond within 48 hours, your account will be closed." These messages convey a sense of urgency so that you'll respond immediately without thinking.

 

• "Dear Valued Customer." Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.

 

• "We suspect an unauthorized transaction on your account”. To ensure that your account is not compromised, please click the link below and confirm your identity."

 

• "Your e-mail (or passphrase) will expire soon”.  To avoid any interruption please click the link below and upgrade your email."

 

• "Click the link below to gain access to your account." HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site. The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site.

 

• "You have won the lottery." The lottery scam is a common phishing scam known as advanced fee fraud. One of the most common forms of advanced fee fraud is a message that claims that you have won a large sum of money, or that a person will pay you a large sum of money for little or no work on your part. The lottery scam often includes references to big companies, such as Microsoft.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The Anatomy of a phishing email

 

 

Avoiding email phishing scams

 

Reputable organizations should never use email to request that you reply with your passphrase, Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in a message. If you think the message may be legitimate, go directly to the company's website (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.

 

When you recognize a phishing message, delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the websites it points to. 

 

Always read your email as plain text. 

 

Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

 

 

 

5.     How not to get hooked by phishing scams

 

• Do not reply

 

If you get an email or pop-up message that asks for personal or financial information, do not reply.

And don't click on the link in the message, either. Legitimate companies don't ask for this information via email. If you are concerned about your account, contact the organization mentioned in the email using a telephone number you know to be genuine, or open a new Internet browser session and type in the company's correct Web address yourself. In any case, don't cut and paste the link from the message into your Internet browser — phishers can make links look like they go to one place, but that actually send you to a different site.

 

• Area codes can mislead

 

Some scammers send emails that appear to be from a legitimate business and ask you to call a phone number to update your account or access a "refund." Because they use Voice over Internet Protocol technology, the area code you call does not reflect where the scammers really are. 

If you need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card. And delete any emails that ask you to confirm or divulge your financial information.

 

• Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly

 

Some phishing emails contain software that can harm your computer or track your activities on the Internet without your knowledge. Anti-virus software and a firewall can protect you from inadvertently accepting such unwanted files. Anti-virus software scans incoming communications for troublesome files. Look for anti-virus software that recognizes current viruses as well as older ones; that can effectively reverse the damage; and that updates automatically.

A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It's especially important to run a firewall if you have a broadband connection. Operating systems (like Windows or Linux) or browsers (like Internet Explorer or Chrome or Firefox) also may offer free software "patches" to close holes in the system that hackers or phishers could exploit.

 

• Do not email personal or financial information

 

Email is not a secure method of transmitting personal information. If you initiate a transaction and want to provide your personal or financial information through an organization's website, look for indicators that the site is secure, like a lock icon on the browser's status bar or a URL for a website that begins "https:" (the "s" stands for "secure").

Unfortunately, no indicator is foolproof; some phishers have forged security icons.

 

• Review credit card and bank account statements to check for unauthorized charges

 

If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

 

• Be cautious of attachments and downloads

 

Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them. These files can contain viruses or other software that can weaken your computer's security.

 

 

 

6. I've been phished! What should I do?

 

• Email/username & password/passphrase

 

Change your password/passphrase immediately. If you're using a free provider (Gmail, Hotmail, etc) and you find an increasingly and uncontrollable amount of spam, you may wish to change your email address as well.

 

• Personal information

 

Address, Financial information, Answers to security questions, Other personal information that can be changed, Driver's license / license plate

 

While there's no way to "unsend" the email, many of these pieces of information are changeable (especially credit card numbers). Contact the appropriate organization or financial institution. You should also report this as identity theft.

Please note: the theft of a credit card (or credit card number) alone does not constitute identity theft. You should, however, promptly call the financial institution and have the number changed. You can also work out or challenge any erroneous charges on your account.

 

• Personal information that isn't changeable

 

Social Security number, Mother's maiden name, Date and/or city of birth, Medical information

 

Unfortunately, there's not much you can do about this except defend yourself (electronically). Visit these pages about reporting identity theft. Being proactive and staying alert/aware of your credit is your best defence.

 

 

7.   General Online Safety

 

• When you get a pop-up or dialog box, do not just click “YES” to make it go away. Read the content before you make a decision

• Do not use your PC with an account with administrator privileges

• Look out for invalid security certificates

• Do not click on links in emails. Type them into the browser manually.

• Do not download attachments that are of type “.exe” or compressed in “zip” format

• Set your PC and devices to update automatically

• Run a combination of anti-virus, anti-malware and firewall on your PC. However do not run more than one anti-virus software as they will conflict with each other

• Keep your browser updated

• Never respond to an email asking for personal information

• Always check the site to see if it is secure. Call the phone number if necessary