Phishing

March 23, 2009

Have you heard the term Phish? Phishing is when criminals try to trick you into giving them sensitive information (user names, passwords, account numbers, credit card numbers, etc.) by masquerading as a trustworthy entity. 

 

Here’s an example. Let’s say you get an e-mail from Fred’s Bank. The email says that there has been a large transaction on your account and they want to verify with you that the transaction is valid and not fraud. Let’s also say that you happen to have an account at Fred’s Bank. The e-mail gives you a link to click on to resolve the situation. The link says www.fredsbank.com/fraudprevention, so it looks real. When you click on the link, a website comes up that looks like Fred’s Bank website. It shows a transaction, gives you the opportunity to specify if it’s valid or invalid and asks you for your account number and password. You select that the transaction is not valid, enter your account number and password and click the button to submit. The website says that the transaction will be removed.

 

What really just happened?

 

You received a Phish e-mail from someone posing as Fred’s Bank. The email looked official, but wasn’t. The link said www.fredsbank.com/fraudprevention when you clicked on it, that’s not where it went. The website it went to was a fake website designed to look just like the Fred’s Bank website. The transaction listed was bogus. The only thing that was real was the account number and password you gave them. The elaborate hoax was all to get your account number and password. Next thing you know, your account has been emptied.

 

In the above situation, how could you have detected this was a Phish attempt?

 

Here are some things you can do to protect yourself.

  • If you get an e-mail from an institution you do business with, don’t click on any links in the e-mail.

  • Most e-mail programs will allow you to hold the mouse pointer over the link and it will show you where the link really goes. If that doesn’t match what the link says in the e-mail, it’s probably a phish attempt.

  • Instead of clicking on a link in an e-mail, pull up your web browser and go to the website for the institution in question and check your account, or call them and ask them about it.

  • If you do click on a link in an e-mail, look up in the address bar of your web browser and look to see if you are really on the institutions website. Look carefully, they often use addresses very similar to the real ones.

  • If the e-mail directs you to call a 1-800 number, don’t call that number. The person on the other end could be the criminal who will ask for your account number and password. This goes for any phone number you are given in a voice mail as well.

  • Also look at the web address and see if it starts with http or https. Any legitimate website that asks you for sensitive information should start with https.

  • Many security programs and many web browsers provide protection against phishing. It’s a good idea to use these, but don’t totally rely on them. Use the tips above.

Leave a Reply

You must be logged in to post a comment.