Back Home Computer Defense Department

Don’t Get Hooked

 Stay away from those hooks; somebody is always phishing for you and your personal information.  Phishing is defined as the act of sending an e-mail to a user falsely claiming to be an established, legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.  The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The website, however, is bogus and set up only to steal the user’s information.  Once the phisher has the information, you could become a victim of identity theft.

 

Phishing was almost unheard of a year ago but now it is a real and present danger.  In a 2004 report by Garter Group, it is estimated that 57 million people had received online phishing attacks, costing banks and credit-card issuers over $1.2 billion in 2003 alone. 

 

How do they get your email address to begin with you ask?   Phishing is a type of email spam and the spammers gather email addresses in a variety of ways, from email addresses being posted on websites, newsgroups or even by simply guessing.  Yes guessing.  They guess at the first part of popular email domains like ______@aol.com, or ________@sbcglobal.net, they fill in the blank.  Phishing emails are not targeted at one person, hence the word phishing.  Like the fisherman that throws out a hook hoping to get a bite, the phisher sends out a mass email to several email addresses hoping to get a bite, or as some might say, a sucker.

 

One sure way to tell if the email you received was from someone phishing is by the email asking  to validate an account with an establishment that you don’t even do business with.  Obviously you are safe here since you have no private information to give.  But with the proliferation of this nasty tactic you are likely to come upon a phishing email that claims to come from an establishment that you do business with, Washington Mutual, Capital One, eBay, PayPal.  No one is immune from it.  You can report phishing emails to the establishment that the emails claim to be from but there is not a lot that they can do about it.  Spending time tracking these villains down is not really worth the time.  Many of these emails come from off shore email servers so prosecution would not even be possible.

 

Besides your own common sense and some personal fortitude there are some software tools available to help thwart the phishing emails.

 

SpoofStick is a simple browser extension that helps users detect spoofed (fake) websites. A spoofed website is typically made to look like a well known, branded site (like ebay.com or citibank.com) with a slightly different or confusing URL. The attacker then tries to trick people into going to the spoofed site by sending out fake email messages or posting links in public places - hoping that some percentage of users won't notice the incorrect URL and give away important information. SpoofStick only works with Windows XP and 2000.  Another software company, Cloudmark makes a product called Anti-Fraud Toolbar.  The Anti-Fraud Toolbar will rate any web page you go to while surfing the Internet to help you identify its credibility. If you click on a link to a harmful web page that contains spyware, viruses, worms, identity theft or phishing attacks the Cloudmark anti-fraud toolbar will detect the URL as being "Unsafe" and will block that page from viewing. If you are using a web mail client Cloudmark anti-fraud toolbar will block any "Unsafe" pages from viewing that your web mail provider's anti-spam solution hasn't caught.

 

The Anti-Phishing Working Group has a website at http://www.antiphishing.org/ that can provide you some useful information to help you stay out of the phisher’s traps.  You can report phishing emails to reportphishing@antiphishing.org and they will put the reported email into an archive where people can look at the phishing email to compare it with a suspected one to verify that it is bogus.

 

Be suspicious of any email asking you to verify private data such as a passwords and credit card numbers.  Be safe and happy computing.