The Beginner's Guide to Phishing

Taken from http://domainsmagazine.com/Domains_15/Domain_257.shtml (WoW Sucks)


This article is the first in an occasional series on scams and frauds on the internet, and how to avoid them.

This week we'll take a look at the scamming technique most commonly known as "phishing", which is becoming a growing problem on the internet. In 2004 alone, there has been a 40% rise in the number of recorded attacks, and the situation is only likely to get worse. The term "phishing", comes, unsurprisingly, from the word fishing, and follows a very similar approach. Fraudsters and scammers , (the "fishermen"), send out large quantities of emails, (the "bait"), to mostly random address across the internet. These emails appear to be from a variety of banks, financial services and sites like eBay, AOL and PayPal, all asking the victim to enter their account and/or credit card details, for a variety of reasons, from supposed ‘problems' with computer systems loosing account details, through to the more genuinely helpful looking reasons such as checking that a recent ‘credit transaction' was not unauthorized. Although only a small proportion of people (about 5%) will actually respond to phishing emails, for the scammer this is still a very large return for a minimum of risk. It is not currently illegal to send a phishing email; a crime is only commited if the scammer actually obtains the details he is after.

There is no foolproof defense against phishing, other than to be aware of the dangers and alert in case you are ever targeted. At millersmiles.co.uk, we look carefully at every spoof email that we receive, and then create reports on their content and method. These reports are listed in our archive, along with screenshots of every email and the spoof website it is linked to, allowing you to search for a suspect email to see if it has been reported and to confirm for yourself it is a fraud. The site is updated daily, so if you visit regularly you will get a good idea of what scams to expect. You can also use our XML feed, which lists the most recent scams and their subject lines, to help you spot them quickly. Our archive stretches back several years and includes all the major scams and their variations over this period. The site is free to use, our aim is to make the internet a safer place!

Phishing emails come in all shapes and sizes. Some look extremely professional and realistic, whilst others are crude and badly constructed. Sometimes this is a ploy to make the victim think they are dealing with someone too uneducated to be capable of deception, and other times it is more likely a reflection of the poor English skills of the creator(s). Of the hundreds of emails we capture or are forwarded daily at millersmiles, most are simply duplicates of scams already in circulation, and others are either incomplete or outdated. The most common technique is to tell the victim there has been some sort of problem with their account, and that it needs to be ‘verified' to keep it from being closed or suspended. The recipient is then prompted to either enter their details into a form in the email, or to click a link to the ‘official site' of the supposed sender. The actual site the link goes to is a spoof page created to look exactly like the real website it is mimicking, so at a glance you would never know the difference. Some of the more sophisticated spoofs even fake the URL in the address bar, so the site address even looks authentic.

-NEVER TRUST AN EMAIL SENDER

Did you know that you can fake the return address in an email? For the less computer literate, that's the bit of the email that tells you who it's from. The sender can choose any name/supposed address they want, so never trust an email just because it appears to be from a legitimate address. It is a well known fact that over 95% of phishing attacks use spoofed email addresses to appear more authentic.

-ALWAYS CHECK THE CONTENT

Whilst the most professional spoofs may be almost indistinguishable from the real thing, other scams are much easier to spot.

A common technique used by scammers is to include all of the email's text as an image, and have the whole image link to a spoof website when clicked. This is a tactic to avoid email scanners that can scan the text in an email but not images. If you can't click and select the text as normal with the mouse, simple, it's a scam. Authentic emails are never constructed like this.

Bad spelling and grammar is also a dead giveaway, as are places that seem unable to spell their own names, e.g. ‘Alert from Ciitibnk'. Banks and the like don't send out emails with mistakes as bad as these.

-DON'T OPEN ATTATCHMENTS

Sometimes a spoof email will come with an attachment. Don't open it! It may be harmless, but there is no need to take the risk. This is the most common way that viruses are spread, and as well as being a scam the email may try and infect your computer with programs that steal information from you without your knowledge. 90% of computer viruses are distributed via email, so don't take the risk.

-UPDATE YOUR COMPUTER SECURITY



An unprotected computer on the internet is like a house without locks - extremely vunerable. To make your computer safer and more secure, there are 3 basic steps you can take:

Get an antivirus program (and keep it updated). Antivirus programs sit on your computer and scan every file in case it's infected with a virus. They can then remove it from your system. It is essential to keep an antivirus up to date, as new viruses appear everyday. Most antivirus programs will do this for you automatically.

Get an spyware removal program (and keep it updated). Ad removal programs are an essential companion to an antivirus, as they can pick up programs that the antivirus can miss. Some programs, known as ‘spyware', are not classed as viruses, but are still potentially harmful, as they can sit on your computer gathering information without your knowledge or consent. Some can even record every keyboard press you make, thus capturing important information such as passwords and credit card details.

Update your operating system. Most people these days use Microsoft Windows, but unfortunately Windows is not flawless, and security holes and other issues are regularly discovered that an attacker could exploit to get inside your computer and steal information. Fortunately Microsoft fix every weakness they find, so make sure you've got all the latest updates at http://windowsupdate.micosoft.com.

-NEVER GIVE OUT YOUR PERSONAL DETAILS

This is the simplest rule of all. Banks, financial institutions and the like will never ever send you an email asking you to directly verify your account or update your details via an email. It simply doesn't happen. In such rare cases where problems occur they will contact you directly by phone, letter or other means. Even if an email looks authentic, it more than likely isn't. For example, did you know that a link can say one address but actually go somewhere completely different. You could click on a link that said www.paypal.com, but get taken instead to www.stealallyourmoney.com.

-VISIT SITES DIRECTLY

If you are going to visit any site where you intend to enter your account details or similar, you should only go there by typing the site's address directly into the browser address bar, not by clicking a link in an email. This is the only way to be sure you are visiting the real site and not some sort of spoof.


Hope this will help,many of you will get bored reading but this might save your cash and may spare you for some unwanted issues. So read it is only 2-3 mins of you life.

Thanks

 

wow nice, ill move this to user education Thanks

You may use this in your app if you want to apply.

EDIT: GIVE DAM CREDIT (Thanks people who told me) INCLUDING --> Repentless and Sin666