What is Phishing?
Phishing - pronounced 'fishing' - is a form of Internet fraud sometimes considered deceptive advertising and often employed by thieves in an attempt to steal your personal information. You already know the practice - they appear in your mail box at least a few times a week - not your e-mail box, your home mail box - those enticing or official-looking letters. Once you open one you realize its just an advertisement. But it was a successful advertisement because you opened it before you tossed it into the trash. Phishing is the Internet equivalent of the same thing - but with more far-reaching consequences. If you get 'hooked' you could become a victim of identity theft.
How does Phishing work?
Its very simple. You receive some kind of e-mail that appears authentic or genuine-looking. The memo informs you that something is wrong with your computer or an account you may have - generally on popular sites like E-Bay, PayPal and the like. The intent of such a message is appear so believable that it confuses you or makes you panic. Attempting to reply to the suspicious e-mail message usually results in your reply being undeliverable - the originator used a bogus e-mail address to conceal their identity. One or more links are provided in the message that you can click on in order to - you are told - 'fix' the problem. Or it may try to convince you that its urgent that you download and install a piece of software. If you follow the link you'll arrive at a page that also seems official. This page will ask you to provide a user name, password, credit card number, or some other piece of personal information. Metaphorically, now the hook has been baited and the line had been dangled in front of you. If you bite ... you'll get bitten!
Is Phishing Illegal?
Yes and no. There is no crime in asking you to volunteer information. It isn't a crime to send you an important-looking message. Its a copyright infringement if the originator of the message uses a copyrighted or trademarked logo (which are easy to steal) to make the message look more authentic, but that's a crime against the owner of the logo not you. Identity theft is illegal but no crime is committed until the thief actually uses the information you unwittingly provide. Its attempted fraud of course but if it were easy to catch these people, Phishing wouldn't be a problem.
Thieves are Very Creative!
There are lots of official-looking e-mails out there that upon close inspection are nothing more than attempts at Phishing. Once again, the idea of the message is to confuse you, get you to panic, and convince you that the problem is so severe that you must act immediately. When you are in a state of panic you do not think clearly, leading to a lapse in judgment and causing you to make a poor choice - unwittingly installing spyware, a virus, or providing personal information to a potential thief. You might be tempted to ask why your e-mail anti-spam filter doesn't catch Phishing attempts. The answer is that it does, just not all of them. Thieves try to stay one step ahead of the filters - they change their techniques often. By the time your filter is updated the thief has moved on.
Some recent examples
Phishing attempts have been on the rise recently. We have received numerous messages looking so real that in one case we actually contacted PayPal to determine if the message was genuine. It wasn't. We've received Phishing memos appearing to come from many popular sites as well as banks, fake anti-virus detection companies, spyware masquerading as anti-spyware, and other fraudulent sources. In all cases they were not real. So far we've never been 'hooked' but perhaps that's because we've been around the block a few times. Here are some of the others we've received recently:
One interesting example looked like it came from E-Bay. But upon inspection, the link on the page (right click on a Windows machine and examine the Properties of the link) showed that we'd be directed to a site named "eaby" - close but clearly fake.
We were told that spam and spyware were getting through our ISP filters and that if we installed the ZIP file provided with the message all that would be prevented. The message was from a bogus ISP and the ZIP file actually contained a spyware program - but of course it all looked very official and genuine.
In another instance a domain registration company told us that our domains were about to expire and that we had to renew immediately. Not only was it untrue, it wasn't from the company where we bought our domains ... it was a clever - and deceptive - advertisement trying to get us to switch companies.
The bottom line is that you can't stop Phishing. But you must be aware of it so you don't get caught.
What can you do?
Rule number one: Don't Panic! Keep a cool head and do not respond to any suspicious or realistic-looking e-mail unless you can verify its authenticity. Rule number two: Use your common sense. Do not open attachments or click on links in e-mails from people you do not know - no matter how official they look. Rule number three: If in doubt Ask! - call or write the genuine security or support department of the company or service contained in the suspicious message. If its convenient, forward a copy of the memo you received to the official site, not to any of the links in, or the sender of the memo. They'll tell you whether or not the memo is authentic. PayPal for example, told us they never ask people to provide account information of any kind via e-mail. So read the privacy and security policies of the sites where you have accounts. They will state clearly what procedures they use - and don't use!. Finally, if you have kids teach them not to open, respond to, or click on attachments in e-mails from people they don't know.
There are various products you can install to detect sypware or viruses - these can help you from becomming infected and you should be using them - but they can't prevent you from voluntarily giving up your personal information. Only you can do that. Be warned and be vigilant!
The information on this page is presented as a public service by XpressComputerSolutions.