Jul 11, 2012
“I keep hearing about this email problem called “phishing,” and how it can damage my computer or make me lose money. Is phishing some kind of virus, and how do I make sure my email is safe?”
Phishing is generally not performed with a virus of any kind. Instead, it preys on what may be your computer’s weakest point, because it is perhaps the most difficult to protect with software or any other automated means: you.
A phishing attempt contains a link disguised to appear as a link to a banking/financial website, social network, popular online game or other website that requires a user name and password. When you click the link, it brings you to a website that looks just like the one you expect. However, the website resides on someone else’s domain. When you enter your user name and password, it gets added to a database which a hacker can later use to log in to your account. From here, the hacker can wreak all kinds of havoc, including emptying your bank account, sending false emails to all of your social networking friends and transferring all of your items out of your online game account.
The Anatomy of a Phishing Email
Let’s take a look at a typical email phishing attempt:
We are sending you this notes because we have completed a recent security upgrade that requires all of our customer to log in and confirm their passwords. Please click this link to log in to your bank account immediately. Note that if you do not do so within the next 48 hours, your account will be locked and you will need to call our customer service number to restore online access.
Bank of America Security Team
Now, let’s take a look at some of the aspects of this email that can help you identify it as a phishing attempt.
The link goes to the wrong domain name.
This one is a dead giveaway that you need to delete the email immediately. When you hover the mouse pointer over the link, you don’t see “bankofamerica.com.” Instead, you see something like “bankofamerica.syssu4483.com.” The domain name is the most important element of a link, because it tells you exactly where the link goes. Bank of America has nothing to do with the syssu4483.com domain.
They don’t know your name.
In fact, many of the people who receive the phishing email may not be customers of that business at all. The email addresses used for phishing attempts are generally huge lists harvested from a variety of sources, and since the hackers are trying to harvest passwords for popular websites, they assume that a significant number of the people who receive the phishing email will be customers of the institution they are targeting. Since it costs practically nothing to send a gazillion emails, the venture is profitable if just a few people are tricked into giving up their passwords. Therefore, phishing emails usually have generic greetings such as “Dear Customer.”
The email contains spelling or grammar errors.
Many phishing emails originate from locations where English is not the primary language spoken. As a result, it is very common to find spelling and grammar errors in phishing emails.
The email tries to create a sense of urgency.
Phishing attempts almost always try to get the victim to comply immediately by warning her that her account will be locked or disabled if she doesn’t log in right away. A legitimate institution isn’t going to do this; if there is truly a problem with your account, you’ll most likely be contacted by telephone (but even then, you should be skeptical and avoid providing any private information).
The originating email address is forged.
It’s easy to make the “From” field in an email say anything you like. For example, the “From” address in the sample phishing email above might be something like “firstname.lastname@example.org.” However, if you check the email’s source, the originating server will be a domain other than bankofamerica.com. The method for checking this depends on the email client or service you use. For example, if you use Yahoo! Mail, click the gear-shaped button above the message and choose “View Full Header” on the menu. After viewing the email source, check the “Received:” or “Received from” heading to see if the originating email server matches the domain stated in the “From” address.
The email contains a clickable link.
In order to encourage good security practices, a legitimate email from a bank or other institution vulnerable to phishing often will not contain any clickable links. After all, you know how to get to the website.
All Online Communication is Vulnerable to Phishing
To maintain your online security, it is important to remember that email is not the only form of online communication vulnerable to phishing. You may also receive phishing attempts over instant messaging and social networking services. A phishing attempt received in this manner is often the result of a two-pronged attack. The hacker used a phishing email to obtain your friend’s instant messaging or social networking password, then used her account to send messages to all of her friends. This type of attack employs a technique known as social engineering – if you believe the message truly originated from your friend, you will be more likely to believe it is safe and click the link. If you have the ability to contact your friend via another means such as email or telephone, it would be wise to do so and let her know that her account has been compromised.
To keep your own instant messaging, social network and online game accounts safe, remember that an official representative of of that service will never use email, instant messages or other insecure means of communication to ask you for your password.
Protect Your Online Accounts From Phishing
So, with all of this information in mind, what are the best steps you can take to protect your self from phishing attempts?
Never click links in email, instant messages or private messages on social networking websites.
If you believe that a message could be legitimate and you want to log in to your account to confirm, type the address of the website manually.
Activate your Web browser’s phishing protection feature.
All modern Web browsers have built-in phishing protection and will flash a warning message if you arrive at a website that may be something other than what it claims to be. This protection is always enabled by default, but it never hurts to check your browser’s options and confirm that phishing protection is on.
Install Internet security software.
Macs are not invulnerable to malware. Thankfully, a number of free anti-virus programs are available for OS X such as Sophos, Avast! and iAntivirus. We recommend installing one of these to keep your Mac protected.
For the PC, Microsoft Security Essentials is a good free solution that protects your computer from many types of online attacks. If you need something more comprehensive, ESET Smart Security is a good security program that starts at $59.99 per year of protection.
Remember the Golden Rule of phishing protection.
To keep yourself safe from email phishing, always remember the most important rule of phishing protection: security software and automatic phishing protection are not replacements for good security practices on your part. Never click those links!