Tips Logo
TMB-Tech


HOME PAGE
Turn Off AutoPlay
Add Color to Outlook
Adjust Display
Avoid Credit Card Fraud
Adjust Spell Language
Adjust System Restore
Change Mouse Pointers
Change Start Menu Picture
Change Registered Owner
Change Power Scheme
Classic Start Menu
Clean Up Your Hard Drive
Clean Up The System Tray
Configure XP Auto Login
Control File Sharing
Delete an Undeletable File
Disable Auto Login
Display Quick Launch Bar
Don't Leave an Internet Trail
Error Reporting
Files & Folders
Getting A Thorough Search
Hibernate
Invalid Boot Entries
Keyboard Shortcuts (IE)
On-Line Virus Scanners
PC Maintenance
Remove Run
Remove Stored Usernames
Restore XP Native ZIP
Sort "All Programs"
Sorting The Favorites List
Special (Word) Shortcuts
Stay Safe On-Line
Troubleshooting Windows
Using Font Smoothing
Uninstall Components
What is Phishing
Windows Updates


 		  

What is Phishing & What can I do about it?

What is Phishing

 What Can I Do About Phishing

 What To Do If You Gave Information To A Phishing Site.

 How Can I Protect Myself from Phishing?

 Examples of Actual Phishing Emails and Websites.
 

What is Phishing?

Phishing attacks use an e-mail forged to appear to originate from popular companies and organizations ("phishmail" from "impersonated organizations"). Phishmail tries to lure target victims to impersonated websites where an attempt is made to fool recipients into divulging personal information.

The personal information obtained is used to commit fraud, identity theft, spamming, or other crime.

Target victims are people who already use the internet to deal with the impersonated organization. A person regularly dealing with an impersonated organization via email and the internet won't be surprised when the phishing email arrives. (Of course the impersonated organization is also a victim.)

Phishmail and phishing website can use language and graphics that closely very duplicate the impersonated company.

  1. Conventional phishing involves sending mass amounts of unpersonalized email (phishmail spam) with sent-by addresses forged to appear to be from popular companies and organizations. A percentage of the tens-of-thousands of phishmail recipients are bound to already be customers of the impersonated organization, and already routinely access their accounts over the internet.

    The best tip-off to conventional phishing is that the phishmail is not personalized. The phisher can't personalize the email because they don't know anything about the recipients. Legitimate email from an organization about an account should mention the recipient's real name and account number.

    As of May 2005 there is a new development in phishing: targeted phishing.

     
  2. Targeted phishing involves sending the target victim a personalized email that contains their name, possibly their address or account number, or other personal details.

    The inclusion of a few personal details greatly increases the likelyhood the target can be lured into divulging additional personal information.

    The goal of targeted phishing is to gather additional information about target victims, so that greater frauds can be committed using their names.

    In the case of targeted phishing, the impersonated organization need not be popular.


(A phishing site may have a mis-spelling of an institution's domain name, so that victims just stumble upon it. However, using mis-spelled domain names to sell competing products is not phishing.)


Phishing email usually has a spoofed/forged sent-by address that resembles email addresses the impersonated organization normally uses.

In the body of the phishing email, there may be simple html code to place a fake URL over the real URL. For example click on http://isc.sans.org/, and then come back here.

What is coded is:

<a href="www.bigbank.com/account/signon/">http://isc.sans.org/</a>

On a web page, the phishing domain name or URL can be disguised by:

  1. Using a similar domain name. www.bigbank.account.com/signon/ might look like part of www.bigbank.com, but it is actually part of www.account.com. Also, www.wellsfargobank-llc.com is not the same domain as www.wellsfargobankllc.com or www.wellsfargobank.com.
     
  2. Positioning a picture of an address box (URL box) with the correct URL for the company on top of the browser's real URL box.
     
  3. By copying the actual layout and graphics from the impersonated company's website to the phishing website, the phishing website can flawlessly replicate the appearance of the organization's real site.
     
  4. Do not depend on grammatical flaws to detect phishing. The email and website wording are sometimes in flawless business language.
     
  5. After the victim has entered the information requested, the victim may be smoothly linked from the phishing site to the impersonated organization's legitimate real site. If an account name and password were entered on the phishing site, the phishing site may even sign the victim onto the impersonated organization's real site. Even if the victim gets suspicious at this point, all they see is the organization's real site. The victim often has no clue that their personal information was just stolen.

There are illustrated and explained examples of actual phishing pages and emails in the link in Part E below.

 

What Can I Do About Phishing?

Promptly report attempted and suspected phishing:

It only takes a minute to report suspected phishing email.

Trained investigators will determine if the email or website is an actual attempt at crime. Merely visting a phishing website can lead to malware being loaded onto your computer without your permission. Leave the investigation to the experts.

Report the suspected phishing email by forwarding the email as an attachment. This allows semi-automated processing to eliminate duplicates and false alarms, and it preserves the internal email headers needed to trace back the actual source of the email.

For Outlook Express: Go to the inbox, Right-click on the email in the email selection list, and select "Forward as Attachment". Add the email addresses below to the TO: box. Send the resulting email.

For Outlook or Netscape: Create a new email. Add the email addresses below to the TO: box. Drag and drop the phishing email on the new email (with Netscape, drop it in the attachment area). Send the resulting email.

Instructions for sending the full header information of an email using other email tools are here Spamcop.net: How do I get my email program to reveal the full, unmodified email? Follow the instructions for "web submission" but instead paste the full unmodified email in a new email addressed to the email addresses in (a) and (b) below.

Following the instructions just above, forward the phishing email reports to each of these institutions (as an attachment):

  1. Cut and paste these email addresses into the TO: box of your email.

    reportphishing@antiphishing.org;
    spam@uce.gov;
    newvirus@kaspersky.com;
    toolbar@netcraft.com

    or, with commas
    reportphishing@antiphishing.org,
    spam@uce.gov,
    newvirus@kaspersky.com,
    toolbar@netcraft.com

    If reportphishing@antiphishing.org bounces,
    try info@antiphishing.org)
     

  2. A contact at the company or institution impersonated in the phishing email. Look on the company's real website for a contact email address.

If there is no "security contact", try making email addresses by prefixing the company's real domain name with: abuse@, postmaster@, info@, and webmaster@ (for www.bigcompany.com you'd email abuse@bigcompany.com, postmaster@bigcompany.com, info@bigcompany.com, and webmaster@bigcompany.com). (If you are still unsuccessful at contacting them, at least you tried.)

 

What To Do If You Gave Information To A Phishing Site:

  1. If you have disclosed personal information on a phishing site, you may become a victim of identity theft.

    The more time crooks have to play with your personal information, the longer it will take you to clean up the mess. Reporting identify theft early reduces the amount of work you'll later have to do to restore your credit. Do not wait for credit companies to contact you. Do not wait for monthly statements.

    If you gave out a credit card number, call the credit card issuing company's 7/24 phone number to report the card number as stolen right now. Do this now, before reading further. (If you gave out a debit card number or checking account number, contact you bank.)

    Carry out the remaining credit protection steps no later than the next business day. The credit protection steps are here: What Do I Do About Possible Identify Theft?
     
  2. If you merely visited a phishing site, you should scan your computer for any keystroke loggers and other malware that may have been downloaded through your web browser.

    a) Update your anti-virus software and run a regular virus scan of your computer.
    b) Run the Ad-aware step here.

 

How Can I Protect Myself from Phishing?

No web browser or email tool provides total protection against phishing, because phishing relies on fooling people. (However, some tactics for fooling users don't work on some web browsers.)

  1. Only enter confidential information on web pages that appear secure:

    a) The URL (at the top of the window) should begin with https:// instead of http://.

    b) There should be a lock (padlock) icon in the lower right of the window frame you would enter your information on. (A lock icon on the web page itself doesn't mean a thing.) Double-click the lock icon in the window frame. A security certificate will pop-up. On the "General" tab of the certificate, verify the URL and company name are what you expect.

    c) In MSIE (MS Internet Explorer) right-click on the web page you would enter your information on, and select "Properties". Or from the "File" pull-down menu (at the top of the page) select "Properties". On the Properties pop-up you can examine the URL and the security certificate.

    d) In FireFox, right-click on the web page you would enter your information on, and select "View Page Info". Here you can examine the URL and the security certificate.

    Check the security certificate of the actual window you would enter your information on. Some phishing sites open a small window from the phishing site (with its tool and address bars turned off) in front of a large window from the institution's real web site. Here is an illustrated example of this: MSN- 'Warning Message'

    e) If something doesn't appear correct, forward the email to the company it claims to be from, using the instructions in step B.2 above, and request confirmation. Or telephone the company using the phone number on a recent account statement.
     
  2. Only use credit cards to make online purchases. Most jurisdictions have legislation to limit consumer liability from fraudulent credit card use. Similar protective legislation does not exist for checking accounts or debit cards.
     
  3. Be suspicious of any urgent requests.
    Phishmail typically includes upsetting or exciting statements to get people to react immediately. Phishmail will try to convey a sense of urgency, so that people will act before they think.
     
  4. A lack of normal personalization in email about an existing account is a tip-off that the email is phishmail. A company emailing you about an existing account will mention your real name and account number in the email.

    However, while the lack of personal details is a good indication that email is phishmail, the presence of personal details does not guarantee the email is legitimate.

    Targeted phishmail will include some personal details about you, and will lead you to a site where they will try to gather even more information about you.
     
  5. Don't click the links in an email to get to a page where you will be entering confidential information.

    Instead go to the website by typing what you know to be their web address in the address box of your browser. Set a "favorite" or "bookmark" to point to what you know is the organization' main webpage, and use that when you want to visit their site.
     
  6. Avoid filling out forms in emails. The security of email forms is normally low.
     
  7. Before disclosing information on the telephone, make sure that it is you who dialed the telephone call.

    If they phoned you, take down the caller's name and phone number/extension. Use the phone number on a recent statement or in the phone book to call the company back, and then ask for that person.

    Do not rely on telephone Caller ID informaion. Telephone Caller ID information can be faked.
     
  8. Use one of these anti-phishing tools:

    Click to download Netcraft Toolbar.  Be sure to read the tutorial on how to recognize a phishing site using the tool.

    Click to download EarthLink Toolbar.
    Click to download SpoofStick
     
  9. Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. If anything is suspicious, contact your bank and all card issuers.

    The more time crooks have had to play with your personal information, the longer it will take you to clean up the mess.

    Catching and reporting identify theft early reduces the amount of work you'll have to do to restore your credit later.

 

Examples of Actual Phishing Emails and Websites

Illustrated examples of phishing are here: Antiphishing.org archive
(Here is one of the best examples.)

Note that many examples display fluent English and flawless graphics and layout.

 

 
  Disclaimer     Terms & Conditions