Phishing Methods and Prevention

Anyone who has read some materials on internet security has definitely heard of the practice of “phishing”. In a nutshell, phishing consists of a fraudster acquiring sensitive information, like passwords, credit card numbers, PIN codes by posing as a legitimate entity.

While this method of collecting sensitive information from individuals based on deceptive ways has gained some media attention in the past few years, it had actually been going on in various forms since the mid 1990s. In these days, the most common type of phishing was emails or instant messages designed to deceive people by posing as an employee of their internet service provider and asking them for their user name and password. The account would then be used for various shady purposes, such as sharing copies of software or sending unsolicited email (spam).

In today’s world, fraudsters use phishing as a means to get access to online banking services or payment accounts such as PayPal, to get credit card numbers which could then be used fraudulently, or to gain access to people’s email or social networking accounts. While the latter does not usually cause an immediate risk of financial loss to the victim (unless they use the same password for banking sites as well), compromised social networking and email accounts are often used to send unsolicited commercial advertisements, to spread viruses, or to perpetuate various scams (i.e: sending messages to the user’s contacts telling them that he is in trouble in a foreign country and urgently needs them to send money).

The most common way of phishing involves fraudsters sending millions of unsolicited emails. The message itself will look like it came from a trusted establishment, such as a bank or payment processor, and asks the user to click on a link to confirm their information. There are many reasons given as to why you need to “verify” your data, such as: your account was compromised and you need to review some recent transactions, the bank needs to update your file, you have received a payment in your account, etc.

After the user clicks on the link, which is often disguised to look like the institution’s legitimate URL, they are redirected to a fake website that mimics the appearance of the company that they are impersonating. The user will then be asked to enter personal information, like a user name and password, or credit card number, which is then going to be sent straight to the fraudsters.

Another method used to “phish” for information is to send unsolicited emails to random email addresses, purporting to be from Microsoft or an anti-virus vendor, telling computer users that they need to download an “important update” or “security fix”. However, the file is actually a “trojan horse” which will run silently in the background whenever the computer is started and collect personal information, such as passwords and banking details, as the user types them on their keyboard. The information is then transmitted over to the criminal.

Are there ways for computer users to protect themselves from phishing? Definitely. One of the best protection is the use of automatic filters by email providers such as Gmail and Hotmail. While not 100% effective, these filters will block suspected phishing messages from reaching your email, or will display a prominent warning that the message you are reading is a suspected phishing email.

There are also many internet security programs, some of them free, which can protect you from malicious downloads and warn you if you are entering a suspected phishing site.

The best protection, is to simply open your eyes and use common sense. Many phishing emails and websites originate from third-world countries, and as such have many spelling and grammar mistakes which make them sound unprofessional. This should be a warning sign that something is wrong.

While some banks may send legitimate emails to customers with links to their site, always make sure that you are actually on a legit site by looking at the address bar in your browser. You should also look for a padlock or key icon to indicate that the connection is secure and that the identity of the site has been verified. In any cases, if you have doubts about whether an email is genuine or not, always contact the company it purports to be from by phone, or by typing in their web address manually.