How Phishing Works
According to Wikipedia, "Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from PayPal, eBay, Youtube or online banks are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a website. Phishing is an example of social engineering techniques used to fool users."
How does phishing work? Most commonly, spam emails are sent out which purport to be, say, from a well-known bank informing the recipient that he or she needs to log in to their account and change their password. The email contains a link which while it appears to lead to the bank's website, actually leads to a mocked-up version of it. When the user enters his or her details, that information is then in the hands of the phishers and they have all the information they need to be able to access that person's bank account.
These scams are not at all easy to spot (SonicWALL's Phishing IQ Test will give you an idea of just how difficult they can be to detect). Links in HTML emails can easily be made to appear to lead to somewhere other than the real location (for example, this link (www.google.com) will lead you to Bright Hub) and the mocked-up websites to which the links lead can appear almost identical to the real website.
How to avoid being burned by a phishing scam
There are a number of simple steps you can take that will substantially reduce the chance of you or your employees falling victim to a phishing scam:
- Use a spam filter. A spam filter will block the majority of phishing emails. Many email clients, including Outlook and Windows Mail, have a built-in spam filter – while not as effective as some third-party products, they will nonetheless do a decent job of keeping your inbox free from unwanted items (see Handling junk mail in Outlook 2007 and Block spam and other unwanted e‑mail in Windows Mail for more information). Additionally, numerous third-party applications are available. Search this channel and you'll find reviews of many leading products. See too our article Finding The Right Spam Filter: How to Choose an Anti-Spam Solution.
- Use a phishing filter. Most browsers now include a phishing filter, so make sure it's switched on (see How to use Windows Internet Explorer’s Phishing Filter and Phishing and Malware Protection in Firefox for more information).
- Educate yourself and your employees. Make sure that both you and they understand what phishing is and how it works. Make sure that they understand How to know if an online transaction is secure and understand never to enter personal or financial information into a site that is not secure. Finally, make sure that they know never to access a financial website using a link in an email or webpage and should instead key in the address (being careful to avoid fat fingering) or, better yet, use their bookmarks.
Finally, you may wish to consider helping to combat phishing by forwarding any suspicious emails that you receive to the Anti-Phishing Working Group (firstname.lastname@example.org), the Federal Trade Commission (email@example.com) or by notifying the FBI's Internet Crime Complaint Center.