Phishing: Examples and its prevention methods

Phishing is an identity theft whereby it attempts to acquire personal information including usernames, password and account numbers by camouflage as a trustworthy entity through e-mail or instant messaging.

There are different types of phishing techniques:
a) Social engineering

– It is based on specific attributes of human decision-making called cognitive biases, whereby human have a built-in reaction to things that seem important. Normally the phisher will send an e-mail seems to be from legitimate business requesting verification of information. It contains a link to a fraudulent web page appears legitimate with a form requesting personal information.

b) Link manipulation – It includes a link in an e-mail seems like belong to the spoofed organization where the link would goes to the phishers’ site. Some spoofing used links consist of the ‘@’ symbol in the URLs were disabled in Internet Explorer or a warning message would present if using Modzilla Firefox.

c) Filter evasion – Images were used instead of text

d) Website forgery – Phishers use JavaScript commands to alter the address bar, either by placing a picture of a legitimate URL over the address bar or by closing the original address bar and open a new one with the legitimate URL. More problematic if flaws were used in a trusted website’s own scripts against the victim, such as PayPal in 2006.

e) Phone phishing – Users would be told to dial a phone number regarding problems with their bank accounts through messages claimed to be from a bank. Once dialed, users were told to enter their account numbers and PIN. Sometimes the voice phishing uses fake caller-ID data so that the calls appear to be from a trusted organization.

Here are some tips for preventing phishing scams:

a) Use firewall and anti-virus software.

b) Review web sites’ SSL certificates and own bank and credit card statements for an extra measure of safety.

c) When reading e-mails look for:

1- Generic greetings like “Dear Customer”. If bank sends an official correspondence, it should include customer’s full name.
2- Threats to account and requests for immediate action, for instance “Please reply within five business days or we will cancel your account”. Companies are not likely to be so quick to lose business as they want you as a customer.
3- Requests for personal information. Suspicious link. Links which are longer than normal, containing the “@” symbol or misspelled could be signs of phishing. Thus it is safer to retype the business’s URL into the browser rather than just click to the link in the e-mail.
4- Misspellings and poor grammar.

d) Avoid filling forms in e-mail which ask for personal financial information.

e) Install a web browser tool bar to help protect from known fraudulent websites, such as Internet Explorer version 7, FireFox version 2 and EarthLink ScamBlocker which can be downloaded at http://www.earthlink.net/earthlinktoolbar .

f) Check bank, credit and debit card statements regularly to ensure all transactions are legitimate.

g) Report phishing e-mails to Internet Crime Complaint Center of the FBI at http://www.ic3.gov/default.aspx

Here is a video on phishing: