Courtesy of ILRI/ICRAF's ICT Helpdesk

What is it?

Phishing (fish´ing) (n.)  is the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.

What does a phishing scam look like?

Here are a few phrases to look for if you think that an e-mail message is a phishing scam.

- "Verify your account."
Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail.

e.g If you receive an e-mail from Microsoft asking you to update your credit card information, do not respond: this phishing scam.

- "If you don't respond within 48 hours, your account will be closed."
These messages convey a sense of urgency so that you'll respond immediately without thinking. Phishing e-mail might even claim that your response is required because your account might have been compromised.

- "Dear Valued Customer.

"Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.

- "Click the link below to gain access to your account."

HTML-formatted messages can contain links or forms that you can fill out just as you'd fill out a form on a Web site.
The links that you are urged to click may contain all or part of a real company's name and are usually "masked," meaning that the link you see does not take you to that address but somewhere different, usually a phony Web site.

- The "From Field" appears to be from the legitimate company mentioned in the e-mail.

 It is important to note, however, that it is very simple to change the "from" information in any e-mail client. While we're not going to tell you how, rest assured it can be done in a matter of seconds!

- The e-mail will usually contain logos or

images that have been taken from the Web site of the company mentioned in the scam e-mail.

- Additionally, you may spot some of these elements such as:

Logos that are not an exact match to the company's logo, spelling errors, percentage signs followed by numbers or @ signs within the hyperlink, random names or e-mail addresses in the body of the text, or even e-mail headers which have nothing to do with the company mentioned in the e-mail.

Who Is Behind the Phishes & Why?

- The people behind phishing e-mails are scam artists.

- They literally send out millions of these scam e-mails in the hopes that even a few recipients will act on them and provide their personal and financial information. Anyone with an e-mail address is at risk of being phished. Any e-mail address that has been made public on the Internet (posting in forums, newsgroups or on a Web site) is more susceptible to phishing as the e-mail address can be saved by spiders that search the Internet and grab as many e-mail addresses as they can. This is why phishing is profitable for scammers; they can cheaply and easily access millions of valid e-mail addresses to send these scams to.

 How can you avoid being phished?

 

- The golden rule to avoid being phished is to never ever click the links within the text of the e-mail.

- Always delete the e-mail immediately. Once you have deleted the e-mail then empty the trash box in your e-mail client as well. This will prevent "accidental" clicks from happening as well.

- For those truly worried that an account may be in jeopardy if you do not verify your information, you need to open your Web browser program of choice and type the URL to the Web site in the address field of your browser and log on to the Web site as you normally would (without going through the e-mail link as a quick route). This will provide you with accurate information about your account and allow you to completely avoid the possibility of landing on a spoof Web site and giving your information to someone you shouldn't.

What should you do about phishing e-mails should you be a recipient of them?

 

- You can visit the Web site of the company from whom the e-mail appears to be from and take the time to notify them of the suspicious e-mail. Many companies do want to know if their company name is being used to try and scam people, and you'll find scam and spoof reporting links within some of these Web sites.

- You can also report phishing to the Federal Trade Commission (FTC), and depending on where you live, some local authorities may also accept Internet phishing scam reports.

- You can also send details of a phishing scam to the Anti-Phishing Working Group who is building a repository/database of common scams to help inform people of the risks.

The New Phish - Spear Phishing

 

- As with all malicious code, once a small percentage of the population starts to catch on, the perpetrators find ways to make the attack a little different, and this case, make the phish harder to net.

- The newest type of phishing scam is one that focuses on a single user or a department within an organization. The Phish appears to be legitimately addressed from someone within that company, in a position of trust, and request information such as login IDs and passwords.

- Spear phishing scams will often appear to be from a company's own human resources or technical support divisions and may ask employees to update their username and passwords. Once hackers get this data they can gain entry into secured networks. Another type of spear phishing attack will ask users to click on a link, which deploys spyware that can steal data.