19 November 2009

Identify a Phishing Scam

An example of a phishing e-mail, disguised as ...Image via Wikipedia

From Wired How-To Wiki

Hold on to your passwords if you want to stay safe on the internet. Of course, you need those passwords to access your bank, your e-mail and sites where you connect with friends. There are people out to trick you into giving those private codes away using a scam called "phishing." Let's look at how to identify and avoid falling for one yourself.

What is Phishing?

The strange name sounds a lot like the fishing you do in a lake with a pole. That's because it's a similar process: phishers apply bait and wait for a bite. They want you to be the fish.
These scams find ways to get you to a page that looks like the login to a financial institution or other site where knowing your credentials can benefit them in some way. Many times the "hook" comes in the form of an e-mail that appears to be from a trusted source. Also in the e-mail is a call to click a link to go to a site that is made to look like the one you know.
Another common phishing scheme, especially on social networks, is to take advantage of messaging systems built into the products. The messages may even come from trusted friends, who have themselves fallen pray to the scam.
Once you are on the phishing site, if you type your login information, it will be sent to the bad guys, even though it looks just like a site you trust.
Read on to learn some ways to identify a scam before you fall for it.

Too Good To Be True

Your bank just sent you an e-mail. You open it up and the bank claims to have found an error in your favor. "Click here" to claim the money which is rightfully yours! The old saying still has resonance in this connected age. If it sounds too good to be true, it probably is.
Your friend may be touting a get-rich-quick scheme. Even if this friend usually shares completely reliable information, be wary. Your friend may have fallen victim to a scam himself. If you have his phone number, pick up the phone and get to the bottom of it. He may appreciate you alerting him to the scam.
Since we've all become fairly resistant to this "too good" scam, many phishers use the opposite approach. If it sounds too bad to be true, such as an unexpected large payment from your account being processed by your bank, watch out. The scammers are preying on your desire to fix the problem immediately.
The same goes for unexpected payments or charges with online wallet services like Paypal. When it comes to your money, especially, you can't be too skeptical. Read on for other ways to identify whether there's a scammer on the other end of that login form.

Look at the URL

This may get a little techy, but it's something any internet user should learn. The URL, which is the name for a web page's full address, is a telling hint toward whether you're being scammed.
Your location bar is usually up at the top of the window you use for web browsing. The text inside starts with http:// or https://. The part that comes immediately after that is the host name, like /wired.com/. Sometimes, instead it has extra words up front, like /howto.wired.com/. That's called a sub-domain.
Whoever owns the main .com (or .net, .org, etc.) can make as many sub-domains as they want. Scammers use a simple trick to include your bank's name in front of their own web site name.
Let's say your bank's website is yourbank.com. A scammer might use yourbank.securebank.com, which looks pretty good. But remember, your bank can own anything ending in .yourbank.com. But whoever owns securebank.com (the scammer in this case) can put anything in front of securebank.com, including the name of your bank.
Using the URL to identify the scam means you have to understand the difference between securebank.yourbank.com and yourbank.securebank.com. If they look the same to you, know that makes you extra vulnerable. Just when you thought it couldn't get worse: often the scammers get really devious and use yourbank.com.securebank.com. The URL begins with your bank's complete web site name, but it's still a scam!
Some browsers identify the main part of the host name by bolding it in the location bar. That can make it easier to figure out whether or not you're looking at the real site. Even with the visual aid, it's still all too easy to misread the text in the location bar.

Login at the Site Itself

At this point, you have an inkling you're being phished, yet you also want to know if there really is a deposit waiting for your account. If it sounds too good to be true, and you aren't able to decipher whether it's the real URL, it's time to go straight to the source.
You need to visit your bank, or whichever site this is, directly. Don't click links in e-mails or messages, but preferably type the address of the site you usually use into the location bar. Alternatively, you can search for the name of the bank and click the search result.
Once you are on the site itself, log in there. Doing this will ensure that you are really on the correct website and not sending your credentials to a third party. When you have logged in, look to verify the information you were told in the potential phishing scam. For example, if your bank e-mailed you about a bounced check, wouldn't there be some sign of that on the site itself, too?
If you still aren't sure, you can go old school: Pick up the phone. If the site is a financial institution, there's got to be a way to call them. Remember to get the number from the real site, not from the site you visit by clicking a link.
Following this and other tips in this article should keep you safe from phishing scams. Healthy skepticism and a little technical know-how go a long way to keeping your personal data secure.

In the Future

Unfortunately, many blame the users who fall for phishing scams. Yes, there are some easy things to do to look out for your information, but technology could help us out. Why can't web browsers tell us when we're being phished?
Bolding the important part of the URL is one way we're starting to see the steps toward putting phishing scams behind us. Why couldn't it also determine from the text on the scam site that it's pretending to be another site? If scammers aren't able to use the name or logo of your bank without triggering a red flag, that would take away their most important weapon.
To completely be safe from phishing will require much larger changes. For example, some financial institutions use physical "fobs" with encrypted data to prove your identity. Though implementations aren't widespread, you can now install a fingerprint scanner on your computer. Devices for facial recognition and retina scans can't be far behind.

Reblog this post [with Zemanta]