Phishing is a technique used to gain personal information for purposes of identity theft, using fraudulent e-mail messages that appear to come from legitimate businesses. These authentic-looking messages are designed to fool recipients into divulging personal data such as account numbers and passwords, credit card numbers and Social Security numbers.
PayPal and eBay were two of the earliest targets of phishing scams. This PayPal phishing scams tries to trick recipients by pretending to be some sort of security alert. Claiming that someone 'from a foreign IP address' attempted to login to your PayPal account, the email urges recipients to confirm their account details via the link provided. As with other phishing scams, the displayed link is bogus - clicking the link actually takes the recipient to the attacker's website. The eBay phishing email includes the eBay logo in an attempt to gain credibility. The email warns that a billing error may have been made on the account and urges the eBay member to login and verify the charges.
The following example is a phishing scam targeting SunTrust bank customers. The email warns that failing to comply with the instructions may result in account suspension. Note the use of the SunTrust logo. This is a common tactic with 'phishers' who often use valid logos they have simply copied from the real banking site in an attempt to lead credence to their phishing email.
Next, Citibank phishing example. The attacker claims to be acting in the interests of safety and integrity for the online banking community. Of course, in order to do so, users are instructed to visit a fake website and enter critical financial details that the attacker will then use to disrupt the very safety and integrity they claim to be protecting.
As seen with the previous Citibank phishing scam, the Charter One phishing email also pretends to be working to preserve the safety and integrity of online banking. The email also includes the Charter One logo in an attempt to gain credibility.
Prevention methods of Phishing Scams
1.Be suspicious of any email with urgent requests for personal financial information
-unless the email is digitally signed, users can't be sure it wasn't forged or 'spoofed'
-phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately
-phishers typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc.
-phisher emails are typically NOT personalized, but they can be. Valid messages from users’ bank or e-commerce company generally are personalized, but always call to check if users are unsure
2.Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or the users don't know the sender or user's handle
-instead, call the company on the telephone, or log onto the website directly by typing in the Web adress in users browser
3.Avoid filling out forms in email messages that ask for personal financial information
-users should only communicate information such as credit card numbers or account information via a secure website or the telephone.
4.Always ensure that users are using a secure website when submitting credit card or other sensitive information via your Web browser
-Phishers are now able to 'spoof,' or forge BOTH the "https://" that users normally see when users are on a secure Web server AND a legitimate-looking address. Users may even see both in the link of a scam email. Again, make it a habit to enter the address of any banking, shopping, auction, or financial transaction website users themselves and not depend on displayed links.
-Phishers may also forge the yellow lock users would normally see near the bottom of users’ screen on a secure site. The lock has usually been considered as another indicator that users are on a 'safe' site. The lock, when double-clicked, displays the security certificate for the site. If users get any warnings displayed that the address of the site users have displayed does NOT match the certificate, do not continue.
5.Remember not all scam sites will try to show the "https://" and/or the security lock. Get in the habit of looking at the address line, too. Were users directed to PayPal? Does the address line display something different like "http://www.gotyouscammed.com/paypal/login.htm?" Be aware of where users are going.
6.Consider installing a Web browser tool bar to help protect users from known fraudulent websites. These toolbars match where users are going with lists of known phisher Web sites and will alert users.
-The newer version of Internet Explorer version 7 includes this tool bar as does FireFox version 2
-EarthLink ScamBlocker is part of a browser toolbar that is free to all Internet users - download at
http://www.earthlink.net/earthlinktoolbar
7.Regularly log into users’ online accounts
-don't leave it for as long as a month before users check each account
8.Regularly check users’ bank, credit and debit card statements to ensure that all transactions are legitimate
-if anything is suspicious or users don't recognize the transaction, contact users’ bank and all card issuers
9.Ensure that users’ browser is up to date and security patches applied
10.Always report "phishing" or “spoofed” e-mails to the following groups:
-forward the email to
reportphishing@antiphishing.org
-forward the email to the Federal Trade Commission at
spam@uce.gov
-forward the email to the "abuse" email address at the company that is being spoofed (e.g. "spoof@ebay.com")
-when forwarding spoofed messages, always include the entire original email with its original header information intact
-notify The Internet Crime Complaint Center of the FBI by filing a complaint on their website:
www.ic3.gov/