In a report released in 2009 that sampled three million users over the course of three months, it was found that about 45 percent of the time, the computer user would fall victim to a phishing scam by submitting their login information via a phishing site. New computer users and those who are not tech-savvy could easily fall victim to such a scam because phishing sites look exactly like the official website. This leads the victim to believe that nothing “fishy” is happening, so they divulge their information without thinking twice. Then, before they know it, their username and password is in the hands of a third party to wreak havoc.
What is Phishing?
Phishing is a type of fraud committed using email. It is done as an attempt to steal someone's personal information, such as their social security number, credit card number or username and password. Many people often notice phishing emails coming in from places in which they have never even held an account. Bank of America is a very popular place to be hit with phishing scams. Using Bank of America as an example: the victim would receive an email from the phisher. The email would likely say something along the lines of “you must verify your account by visiting (a link would be here)” or something like “suspicious activity on your account, please click here (there would be a link) to verify your identity.” The victim, being innocent and not knowing any better, would click on the link and be brought to a phishing site. This site would look exactly like the Bank of America website so the victim would be none the wiser. They would input their information and the phisher would then have it and the victim would have no idea that their security was breached until it was too late.
The Most Common Scams
As of February 2011, the most phished sites included PayPal, HSBC Bank, Chase Bank, Facebook, Ebay, Bank of America, Visa, Lloyds and
Banco Santander. These are in the order of most attacked, so this means that PayPal is the most phished site.
Those popular Nigerian spam emails are also a form of phishing. Most people know to simply delete these and move on, but plenty of people are still falling for this scam. This scam involves telling people that a long lost relative has died and left them a very large amount of money. The phisher asks the victim to send them some money and often their bank account information so that they can transfer the money into their account. Once the phisher has the cash and account information, they can wreak havoc, never to be heard from again.
Now, while email is certainly the most popular way to pull off a phishing scam, phishers do use other methods as well to get the information they seek. Phishing scams are also conducted via instant messaging, chat rooms, mailing lists, message boards, fake browser toolbars, cellphone text messages, fake banner ads, fake job offers and fake job search sites.
How to Protect Yourself
Protecting yourself from phishers should be a priority. First and foremost, never click on a link from an email or anywhere else. Open up a new tab or window in your browser and physically type in the website address. Before inputting your username or password, make sure the website address says “https” instead of “http”. This “s” means that the connection is secure. Also, never open attachments in emails unless they are from someone you know and you are expecting an email with attachments.
Second, create a strong password. ZDNet released a list of the 10 most common passwords that people use. Phishers, once they have your username, are going to try these first. Since PayPal is the most commonly phished site, let's use PayPal as an example. A person only needs your username and password to gain full access to your account. So, if they got your email address (what you use to login to PayPal), they can sit there and try to crack your password and if you are using a common one, they will be able to get in pretty easily.
The 10 most common passwords include sequential numbers like '123' or '123456' or even the really obvious stuff like the word 'password'. It is always recommended to use a password that contains a mix of numbers, letters and uppercase and lowercase.
Third, watch the grammar and spelling in suspected phishing emails. Many phishers do not think to check their grammar or spelling so it is easy to spot gross errors. This is often because the phisher is from a country where English is not their first language. If PayPal, Bank of America or any legit company was sending you an official email, it would definitely be flawless.
- Avira. (2011). Phishing, Spam and Malware Statistics for February 2011: http://techblog.avira.com/2011/03/12/phishing-spam-and-malware-statistics-for-february-2011/en/
- ZDNet. (2009). Weak Passwords Dominate Statistics for Hotmail’s Phishing Scheme Leak: http://www.zdnet.com/blog/security/weak-passwords-dominate-statistics-for-hotmails-phishing-scheme-leak/4538
- Image credit: Cellphone: Sxc.hu – mrceviz
- ZDNet. (2009). How Many People Fall Victim to Phishing Attacks: http://www.zdnet.com/blog/security/how-many-people-fall-victim-to-phishing-attacks/5084
- Image credit: @ Symbol: Wikimedia Commons – Platonides