Thursday, March 18, 2010

Protecting yourself from Phishing attacks

What is Phishing?

Phishing (pronounced as fishing) refers to the act of trying to fool someone into disclosing sensitive personal information (such as username, password, credit card number) by posing as a legitimate entity known to the person.

How it works?

There are several ways in which phishing attacks are carried out. Here are some sample scenarios.

Scenario 1

  • victim is sent an email claiming to be be from their email provider (gmail, hotmail, yahoo etc)
  • the email header is sometimes spoofed so that it appears to be coming from the email provider
  • victim is told that the email provider has had some technical difficulties (such as data loss)
  • victim is asked to reply to the email with username, password or other sensitive information (such as secret answer)

Scenario 2:

  • victim is sent an email claiming to be from their bank or financial institution
  • victim is told to update their personal details (or do something similar which encourages the victim to click the link provided)
  • victim is provided with a link to do the update (or whatever)
  • the link usually takes the form "http://bankname.something.com" in order to fool the victim
  • the link takes the victim to a page that is similar to the login page of their bank
  • once victim enters their username and password they are stored and the victim is presented with an error page or redirected to the correct website (i.e. the victim's bank's website)

Scenario 3:

  • victim receives an instant message on their messenger client or through facebook (or social network)
  • the message contains a link
  • the message is worded such that the victim is tempted to click the link
  • when the victim clicks the link they are taken to a site which looks similar to the login page of their email provider (hotmail, gmail, yahoo etc.) or facebook (or social network)
  • when the victim supplies their username and password they are given an error message or redirected to the site they thought they were visiting

How to protect yourself from Phishing attacks?

There are several tools targeted at protecting internet users from Phishing attacks. However, the best way to protect oneself would be to be aware of how phishing attacks are conducted instead of solely relying on security tools for protection. Here are some key things to remember:
  • Your email provider, bank, financial institution or any other respectable entity will NEVER ask you for your username or password via email
  • ALWAYS check the address of the website in your address bar before you type your username and password to login (http://facebook.com is not the same as http://facebook.evilsite.com)
    The important thing to note here is what appears before the dot com (or dot whatever). That is the domain name. If the domain name (in this case evilsite) is different from the site you think you were visiting (i.e. facebook) then you are being scammed (or phished in this case).