Thursday, August 23, 2012

What is Phishing? (Part 1: Online)

Phishing, pronounced "fishing," is becoming a popular phrase in mainstream media. It's this strange, indistinct danger that threatens to take your information and give it to goodness-knows-who. The real problem though is that this threat, while very real, is completely avoidable and needn't be a constant source of worry. What phishing is is simply someone tricking you into giving them the information they want.

That's right. You give them your sensitive information. Of course right now you're thinking "I'd never do that," but every year thousands, if not millions, of people fall for phishing scams. That's because even the most security-conscious people need to be careful- some of the scams are just that good. One of the most common types of scams is an email from your bank asking you to log in to their website and change your password. Changing passwords is something people do often enough that they rarely think twice about doing it, but in this case, you're not really changing your password, but giving away your current one.

Here's how this particular one happens: The "phisher"makes up a fake email address that looks like it could be official. They send this email to a large batch of people who's email address they've acquired through other shady means. Of these people, a certain percentage of them will bank with the one the phisher is trying to replicate. Of those people, a certain percentage will click the convenient link in the email to go to the webpage to change their password instead of navigating to it using a bookmark. If a person reaches this point, they're greeted by a webpage that looks like their bank's webpage, and even has a URL (web address) that's almost identical to the real name. At that point, they simply fill in the password change form, submit, and that's it. Their log in name and password is sent to the phisher's database.

So how can you avoid this? Here are some simple steps you can use to avoid digital phishing scams:

  1. Don't open emails from people you don't know. Too often phishers will make their emails look like they were sent to the wrong person, or the email address will be slightly off from what your bank really uses. For example: If you bank usually emails you from customer_service@bank.com, and you receive an email from customer_service@bank.ca, it's probably not really from your bank.
  2. Most companies will NEVER ask you for your password. If you ever receive an email from any company you do business with asking for your password, call them and verify that they sent the email.
  3. If you receive an email asking for you to reset your password, do not use the link provided in the email. Navigate to the company's password change webpage using bookmarks you already have. Using the link given to you means you could end up on a fraudulent site if the email is, in fact, not from the real company.
  4. If, for whatever reason, you are unable to do the above steps and you must use an email-provided link, verify the webpage it takes you to. Check for things like misspellings, substituting numbers for letters in the name, or having a different ending like ".ca" or ".lb" instead of ".com" These are all ways people can make webpage names look official at first glance.
Practical Tip of the Day:
Not all phishing scams are like the one I outlined, and not all of them are digital. Phishing scams are as plentiful and diverse as scams and cons before the digital age, and some of them are based on those old tricks. There is no way to protect yourself 100% from scams and phishing, but being mindful of your information and who you give it to is the best defense.

No comments:

Post a Comment