What is phishing?

phish·ing

Pronounced: ˈfiSHiNG/

noun: phishing
The activity of defrauding an online account holder of financial information by posing as a legitimate company.

“phishing exercises in which criminals create replicas of commercial Web sites”

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social websites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Phishing is a continual threat that keeps growing to this day. The risk grows even larger in social media such as Facebook, Twitter, Myspace etc. Hackers commonly use these sites to attack persons using these media sites in their workplace, homes, or public in order to take personal and security information that can affect the user and the company (if in a workplace environment). Phishing is used to portray trust in the user since the user may not be able to tell that the site being visited or program being used is not real, and when this occurs is when the hacker has the chance to access the personal information such as passwords, usernames, security codes, and credit card numbers among other things.

Signs you May have Received a Phishing Email:

If you receive an email from a website or company urging you to provide confidential information, such as a password or Social Security number, you might be the target of a phishing scam. The tips below can help you avoid being taken in by phishers.

Unofficial “From” address. Look out for a sender’s email address that is similar to, but not the same as, a company’s official email address. Fraudsters often sign up for free email accounts with company names in them (such as “[email protected]”). These email addresses are meant to fool you. Official email from Yahoo! always comes from an “@yahoo-inc.com” email address.

Urgent action required. Fraudsters often include urgent “calls to action” to try to get you to react immediately. Be wary of emails containing phrases like “your account will be closed,” “your account has been compromised,” or “urgent action required.” The fraudster is taking advantage of your concern to trick you into providing confidential information.

Generic greeting. Fraudsters often send thousands of phishing emails at one time. They may have your email address, but they seldom have your name. Be skeptical of an email sent with a generic greeting such as “Dear Customer” or “Dear Member”.

Link to a fake website. To trick you into disclosing your username and password, fraudsters often include a link to a fake website that looks like (sometimes exactly like) the sign-in page of a legitimate website. Just because a site includes a company’s logo or looks like the real page doesn’t mean it is! Logos and the appearance of legitimate websites are easy to copy. In the email, look out for:

Links containing an official company name, but in the wrong location. For example: “https://www.yahoo.com is a fake address that doesn’t go to a real Yahoo! website. A real Yahoo! web address has a forward slash (“/”) after “yahoo.com” — for example, “https://www.yahoo.com/” or “https://login.yahoo.com/.”

Legitimate links mixed with fake links. Fraudsters sometimes include authentic links in their spoof pages, such as to the genuine privacy policy and terms of service pages for the site they’re mimicking. These authentic links are mixed in with links to a fake phishing website in order to make the spoof site appear more realistic.

And look for these other indicators that an email might not be trustworthy:

• Spelling errors, poor grammar, or inferior graphics.
• Requests for personal information such as your password, Social Security number, or bank account or credit card number. Legitimate companies will never ask you to verify or provide confidential information in an unsolicited email.
• Attachments (which might contain viruses or keystroke loggers, which record what you type).

Signs you May be on a Phishing Site:

Phishers are becoming more and more sophisticated in designing their phony websites, follow these Email steps if you think you’ve been phished. There’s no surefire way to know if you’re on a phishing site, but here are some hints that can help you distinguish a real website from a phishing site:

Check the Web address. Just because the address looks OK, don’t assume you’re on a legitimate site. Look in your browser’s URL bar for these signs that you may be on a phishing site:

• Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character or symbol before or after the company name. Look for tricks such as substituting the number “1” for the letter “l” in a Web address (for example, www.paypa1.com instead of www.paypal.com).
• “http://” at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with “https://” ― the letter “s” must be included. So check the website address for any Yahoo sign-in page.
• A missing forward slash. To verify that you’re on a legitimate Yahoo site, make sure a forward slash ( / ) appears after “yahoo.com” in the URL bar, for example, “https://www.yahoo.com” is a fake website address.

Be leery of pop-ups. Be careful if you’re sent to a website that immediately displays a pop-up window asking you to enter your username and password. Phishing scams may direct you to a legitimate website and then use a pop-up to gain your account information.

Give a fake password. If you not sure if a site is authentic, don’t use your real password to sign in. If you enter a fake password and appear to be signed in, you’re likely on a phishing site. Do not enter any more information; close your browser. Keep in mind, though, that some phishing sites automatically display an error message regardless of the password you enter. So, just because your fake password is rejected, don’t assume the site is legitimate.

Use a Web browser with antiphishing detection. Internet Explorer, Mozilla Firefox, Web browsers have free add-ons (or “plug-ins”) that can help you detect phishing sites.

Be wary of other methods to identify a legitimate site. Some methods used to indicate a safe site can’t always be trusted. A small unbroken key or locked padlock at the left of the URL bar of your browser is not a reliable indicator of a legitimate website. Just because there’s a key or lock and the security certificate looks authentic, don’t assume the site is legitimate.