You may have heard of the latest online threat to Internet users' personal
security, an advanced hack known as "phishing." Phishing is a specific type
of identity theft that can occur only on the Internet. You will respond to
an innocent legitimate looking email, log in to your bank's website, and
suddenly the phishers have your bank account number, credit card number,
PIN, and any other information you entered in the website. This growing
threat is taking its toll on the Internet community; according to the
Anti-Phishing Working Group, there were 1,518 active phishing sites reported
in November 2004 alone.
Phishing scams come in several forms, but they all share the same basic
traits; a legitimate looking email asking you to renew your bank account
information or some other personal data. The most common phishing scam is
an email that appears to be from a bank stating that you need to verify
your bank account information. It will ask you to click on a legitimate
looking link in the email. The actual link is to the phishing site, however.
Phishing sites use several different methods to make their site look like
the real site. The actual images and text on the page will look nearly
identical to the legitimate site. Sometimes the site will try to "spoof"
the address bar, hiding the phishing URL with the bank's actual URL, so
it looks like you're visiting a real site. The real devious phishing sites
will use the login information you entered to log you in to the actual
bank's website, so you have no clue you were scammed.
Another method used by phishers is an HTML form embedded in the email.
In this method, the legitimate looking email includes a form right in the
email to input your important information. This method is particularly
dangerous, as an HTML form in an email can do any number of things, including
automatically sending all the data entered to a phishing site or email
address owned by phishers.
One other trick utilized by phishers is using pop-up windows to give the
appearance of legitimacy. The actual bank's website will be opened in the
background and the phishing site will be opened as a popup window. The
pop-up looks like it's part of the legitimate site and it usually does not
include an address bar, so it doesn't have to spoof the address bar.
Some spyware programs (what is spyware?) will install a corrupt "Hosts"
file. The corrupt hosts file will cause certain websites entered in the
address bar to redirect to other sites. Thus you will enter your bank's
website in the address bar, but your browser will be redirected to the
phishing site without you even knowing about it.
There are several good practices that will help you avoid getting swindled
by a phishing scam:
- Whenever you get an email that looks like it came from a bank, make
sure to not click on the link in the email. Manually enter in the URL into
the address bar. In this way you can avoid have false links redirecting
you to phishing sites.
- Do not fill out forms in emails for anything important. Most banks
and other legitimate websites do not use HTML forms in emails because
they are inherently insecure.
- When logging in to a bank website, check the lower right-hand corner
of the browser for a lock icon. This icon will only appear when the site
is using secure HTTP and is verified to be legitimate. Phishing sites will
not display this icon.
- Use a spyware scanner with a hosts file analyzer to keep your hosts
file clean and your computer clean of spyware.
Several programs exists that are designed to stop phishing scams from
exploiting users. One method is for the anti-phishing program to collect
your credit card number and other vital information, and when it notices
that you are entering this information into a web browser, it pops up,
reminding you to check if the site is legitimate or not. This method keeps
the user informed, but relies on the user to verify if a site is in fact
legitimate or a scam.
Another method is collecting a blacklist of known phishing sites and not
allowing your computer to access those sites. This method functions while
the phishing site is blacklisted and the anti-phishing program has the
blacklist, but it has several drawbacks. The anti-phishing program must
have the most up-to-date blacklist downloaded from the anti-phishing
company's website. The average lifespan of a phishing site in November 2004
was around six days (according to the Anti-Phishing Working Group), so the
blacklist must be constantly updated.
One of the better methods for blocking phishing sites is for the anti-phishing
program to maintain a list of definitions for the legitimate sites based
on the content of the page. When the browser loads a page that matches one
of the definitions, the anti-phishing program checks the page's URL against
the known safe URLs for that definition. If the site does not match, the
anti-phishing program displays a pop-up warning the user that the site is
likely a phishing site and the user should not enter any information into
the site.
Phishing is a very dangerous problem. Most Internet users are not
technically savvy enough to know how to determine a genuine site from
a phishing site, and as such more and more people are falling victim to
identity theft via phishing. And phishing is a growing threat; according
to the Anti-Phishing Working Group, the number of distinct phishing sites
has grown at a monthly average of 28% between July 2004 and November 2004.
The best defense against phishing is education about the problem and proper
tools to defend against phishing scams. Taking the time to learn about yet
another Internet security threat can be disheartening, but not as
disheartening as falling victim to identity theft. By following the
guidelines mentioned above and using an adequate anti-phishing tool, you
can protect yourself against the newest Internet threat.
