Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting victims.
Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Phishing is an example of social engineering techniques that can be used to deceive users. It exploits the poor usability of current web security technologies.
Clues that an email is fake can include: poor spelling, grammatical errors, offer of a reward, typos, information request, threatening tone.
Here are some qualities that can help you identify a phishing email:
- They copy the logo and color scheme of a real company.
- They will use name of a real company or an actual employee of the company as the sender of the email.
- Links embedded in the phishing email Include website addresses that are at first glance very similar to a real business.
- The lure is often a free gift, or the alleged loss of access to an existing online account.
Phishing doesn't only pertain to online banking
Although many phishing attacks are spoofs against banks, they can also use any well-known website to steal personal data such as PayPal, The Internal Revenue Service, UPS, FedEx, eBay, Facebook, , etc.
Phishing comes in all languages
Phishing knows no boundaries, and can reach you in any language. In general, they’re poorly written or translated, so this may be another indicator that something is wrong.
Have the slightest doubt, don't risk it.
The best way to prevent phishing is to consistently reject any email or news that asks you to provide confidential data. Delete these emails and call your bank to clarify any doubts.
Be skeptical when there are big news events happening in the world.
If you hear on the news that your insurance company has recently been breached and soon after you receive an email (allegedly) from your insurance company that explains the breach and provides the necessary steps for you to take. These steps include clicking on a link to update your personal information and change your user name and password. You should NOT follow these instructions to keep your information protected. Otherwise, once the criminals have information about you, they may try to trick you into giving up more information through fraudulent emails. Be suspicious of urgent emails requesting information and never open attachments you aren’t expecting even if it’s from someone you know.
Criminals could strike very quickly
For example, within hours of a hurricane, you receive an email from the Red Cross asking for a donation to help the victims. This email is most likely a high-profile phishing scam that receives media attention and is on the forefront of peoples’ minds. These scams are effective because they rely on your emotions and compassion.
Understand how your financial institution communicates with you
If you receive an e-mail with your bank’s name and e-mail address, explaining that for security reasons, you have to click on a particular Internet link and log in to your account to update your settings. You should delete the email without taking any action, contact your bank through known channels to either ensure credibility or report it to your bank as SPAM. Financial institutions including Commonwealth Bank WOULD NEVER ask for personal or account information via email.
Always be skeptical of attachments
If you receive a message to view a file or video on a social networking site and from someone within your network (a trusted source), it is still NOT safe to open the attachment. Criminals are avid fans of social networking sites. They hijack user accounts to send phishing invites to an account holder’s entire contact list. They post poisoned links to a variety of malicious sites, and send credible emails with malicious links, abusing the trust that friends normally share. Some creative criminals have tailored messages to appear to come from the social networking site itself, designed so that users will divulge their login credentials or download a Trojan.
Technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud like Phishing
No matter how much security technology you implement, you can never get rid of the weakest link – the human factor. A social engineer is someone who uses deception, persuasion and influence to get information that would otherwise be unavailable.
Microsoft will not contact you
If you receive an e-mail (or more recently a phone call) from an alleged Microsoft support person saying that your computer is infected by a virus and suggests that you install a tool available on their Internet site to eliminate the virus from your computer. You should NOT click on the link even though the email looks official and has the legitimate firstname.lastname@example.org email address. Email spoofing is e-mail activity in which the sender’s address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source.
If you are unsure about a link in your email, do NOT copy and paste the link in your web browser
You could still end up at the malicious site and potentially load malware on your computer or network. If you are unsure whether a link you received in an email is safe, it is not safe to copy and paste the link in the URL section of your web browser.
Be aware of incorrect web site extensions
For example, out of these six web addresses, the “whitehouse.com” is phony because any official U.S. government web site will end in .gov and not .com.