What is Phishing?

Phishing refers to the process where a targeted individual is contacted by email or telephone by someone posing as a legitimate institution to lure the individual into providing sensitive information such as banking information, credit card details, and passwords. The personal information is then used to access the individual’s account and can result in identity theft and financial loss.

Legally, phishing is a cyber crime where an imitation of the website of a company is created by phishers to cheat users into providing sensitive information. The first phishing lawsuit was filed in 2004 against a Californian teenager who created the imitation of the website “America Online”. With this imitation website, he was able to gain sensitive information from users and access the credit card details to withdraw money from their accounts. Other than Internet phishing, there’s also phone phishing where a message on the phone from a fake bank officer or other official sounding individual will ask you to dial a number and enter the pin codes and account number of your account to verify the bank account. Unsuspecting victims who call the fake number and provide all the necessary information will soon find out that some money is missing from their accounts (see History of Phishing for more background information).

Features of Phishing Emails:

1) Luring emails

Phishing scams often include lucrative offers and eye-catching or attention-grabbing statements in the emails. The mails are designed to attract people’s attention immediately. For instance, the email may claim that you have won an iPhone or a grand lottery. To prevent phishing attacks, you should not click on these emails. Many people fall prey to these luring phishing emails because they are captivated by the promises – only to suffer the consequences later.

2) Urgent emails

A favorite phishing tactic is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, you shouldn’t get carried away but just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, it’s best to contact the company directly by telephone.

3) Link to another Website

A link may not be all it appears to be. You should move your mouse over the link to find out the real address where you will be directed upon clicking the link. For instance, you may have clicked on http://www.example.com/i/one but you may instead be directed to another site like http://www.example2.com/i/one. When phishers send you a link to your bank’s homepage and you click on the link, you will be sent to a different phishing website which looks very much like the official website. On the site, you will be provided with spaces to enter personal information like credit card numbers, SSN, PIN, password, date of birth, and so on. Once you submit the information, the phishers gain access to this personal information which can be used to conduct online transactions, or even to submit loan applications in your name.

4) Spam Mails

In phishing, bulk mails are usually sent to a great number of users. Spam mails use the drawbacks of current security techniques to access sensitive information. It’s not uncommon for phishers to send millions of emails at one time.

5) Generic Names

Phishing emails are typically sent in batches and generic names are used to send emails. If the emails do not contain your name, you should be suspicious. Generally, these emails will address users as “Dear Customer” instead of using proper and valid names.

Anti-Phishing Techniques:

Though phishers are always coming up with new phishing techniques, there are some things that can be done to fight phishing. Here are some anti-phishing techniques:

  • To protect against spam mails, spam filters can be used. Generally, the filters assess the origin of the message, the software used to send the message, and the appearance of the message to determine if it’s spam. Occasionally, spam filters may even block emails from legitimate sources, so it isn’t always 100% accurate.
  • The browser settings should be changed to prevent fraudulent websites from opening. Browsers keep a list of fake websites and when you try to access the website, the address is blocked or an alert message is shown. The settings of the browser should be appropriate to only allow reliable websites to open up.
  • Many websites require users to fill in the Login information and password while the user image is displayed. This type of system may be open to security attacks. One way to ensure security is to change passwords on a regular basis. It’s also a good idea for websites to use a CAPTCHA system for added security.
  • Banks and financial organizations use monitoring systems to prevent phishing. Individuals can report phishing to industry groups where legal actions can be taken against these fraudulent websites. Organizations should provide training to employees to recognize phishing risks.
  • Changes in browsing habits are required to prevent phishing, but you should also not get lured into fake deals. If verification is required, always contact the company personally before entering any details online.
  • If there is a link to an email, check the address in the link. Safe websites mostly begins with “https”. If the website from the email does not contain “https”, it can be a fake email.

Sometimes, a visually similar web address is used to take users to a fraudulent webpage. The system is called IDN spoofing in which phishers use URL redirecting techniques to deceive the user and move the user from a trusted domain to a fraudulent domain. It has been observed that even the digital security system may not resolve the problem of phishing because the owner of a phished website can buy a certificate and change the look of a website to make it resemble the genuine website.

Generally, the emails sent by a bogus company are masked so they appear to be sent by one of the banks or business institutions whose services are used by the recipient. Mostly, a bank will not ask for personal information via email or suspend your account if you do not update your personal details within a certain period of time. Most banks and financial institutions also usually provide an account number or other personal details within the email, which ensures it’s coming from a reliable source.

Related Phishing.org articles:

Check out these websites for more information about Phishing: