How to Identify Phishing

How to Identify Phishing

What is Phishing?

The strange name sounds a lot like the fishing you do in a lake with a pole. Well, phishers too apply bait and wait for a bite. They want YOU to be the fish.

These scams find ways to get you to a page that looks like the login to a financial institution or other site where knowing your credentials can benefit them in some way. Many times the “hook” comes in the form of an e-mail that appears to be from a trusted source. Also in the e-mail is a call to click a link to go to a site that is made to look like the one you know. Another common phishing scheme, especially on social networks, is to take advantage of messaging systems built into the products. The messages may even come from trusted friends, who have themselves fallen pray to the scam.

Once you are on the phishing site, if you type your login information, it will be sent to the bad guys, even though it looks just like a site you trust.

How to Identify a Phishing Link

First things first, the URL (Uniform Resource Locator), which is the web page’s full address, is a telling hint toward whether you’re being scammed. Your location bar is usually up at the top of the window you use for web browsing. The text inside starts with http:// or https://.

Whoever owns the main .com (or .net, .org, etc.) can make as many sub-domains as they want. Scammers use a simple trick to include your bank’s name in front of their own web site name.

Let’s say your bank’s website is mybank.com. A scammer might use mybank.verysecurebank.com, which looks pretty good. But remember, your bank can own anything ending in .mybank.com (e.g. online.mybank.com). But whoever owns verysecurebank.com (the scammer in this case) can put anything in front of verysecurebank.com, including the name of your bank.

Using the URL to identify the scam means you have to understand the difference between verysecurebank.mybank.com and mybank.verysecurebank.com. If they look the same to you, know that makes you extra vulnerable. Just when you thought it couldn’t get worse: often the scammers get really devious and use mybank.com.verysecurebank.com. The URL begins with your bank’s complete web site name, but it’s still a scam!

Avoid being Phished.

  • Login to the website itself.

You need to visit your bank, or whichever site this is, directly. Don’t click links in e-mails or messages, but preferably type the address of the site you usually use into the location bar. Alternatively, you can search for the name of the bank and click the search result. Once you are on the site itself, log in there. Doing this will ensure that you are really on the correct website and not sending your credentials to a third party.

  • In the email that you have received hover your mouse over the link. The link that you will be taken to will be shown in the bottom part of your screen, as shown in the snap below. Identify if its a genuine link.

Future of Phishing.

With people being made aware of how Phishing works, bad people create new ways to fish. The bait will change in days to come; and with the age of Social Networking in a boom, these bait will come from people you know.

To completely be safe from phishing will require larger changes. For example, some financial institutions use physical “fobs” with encrypted data to prove your identity. Some financial institutions will prompt for a one time password that might be SMS-ed to you or mailed to you during a transaction, making sure that even if the bad guys get hold of your password, they will still need the OTP to complete the transaction.

Below links from Sonicwall and VeriSign help you test your Phishing IQ, do give it a try.

http://www.sonicwall.com/furl/phishing/index.php

https://www.phish-no-phish.com/default.aspx

*First image from Flickr