If any scam defines the current sophistication of cybercriminals, it is phishing. In its most basic form, phishing is a construction of a fake Internet portal meant to imitate another legitimate one.
By exploiting the brand name of the original site, criminals are able to attain credit card and personal data from unsuspecting consumers. According to one study by Panda Security, about 57,000 new phishing sites are created weekly to lure unsuspecting people in and steal their valuable information.
The Anatomy of the Phishing Con
Phishing scams usually involve an email sent to the user warning of some dire event (e.g., closing of an account) or offer (e.g., free gift certificate). Concerned or elated, the emotionally-motivated user clicks on the link in the email telling them to act now.
That link takes the user to a Web site that looks exactly like the one in question; here the user enters login credentials, credit card numbers, a Social Security number, or other sensitive information which the criminal now has in their possession.
In many cases, simply logging in to the site gives criminals all they need; getting your login and password allows them to access your account, as well as any other accounts for which you have used the same password. The brands they choose to imitate are among the largest on the Internet (i.e., Amazon, eBay, Bank of America) and telling a fake site apart from a real one can be next to impossible.
What’s more, building such sites is not difficult, as the perpetrators simply steal source code from legitimate sites and change it slightly, perhaps adding fields for social security number or bank account numbers that are not on the real site.
Sometimes the emails themselves are the spearhead of the attack—a well-known scam involves an email that looks like it came from a legitimate wire transfer company. The email says there is an incoming money transfer, and it asks users to click on a link. Once the user does so, a Trojan installs on the computer in question, and the user is compromised.
Identifying Phishing Emails
If you look carefully at your email, you shouldn’t fall victim to phishing scams. After all, the main target of attack is you; if you simply delete the email, the phishing attack has failed. Here are a few things to look for in emails from so-called “legitimate” companies that can give them away as something less so:
• Poor grammar and misspellings: Though most phishing attacks originate in the United States, many do originate elsewhere in the world, and the people putting them together often have a poor grasp of English. Giant corporations, on the other hand, usually hire skilled people to write their correspondence. Poor grammar or spelling is a prime clue that the message in question is a scam.
• Strange Web addresses: Usually the Web address you’ll be asked to click to doesn’t seem quite right—banks, for example, won’t have “https” in front of them, indicating a secure connection. Other addresses will simply look strange, or the link might say one thing (e.g., www.citibank.com) and actually link somewhere else (e.g., http://web.da-us.citibank.com). You can determine the actual target of the link by mousing over it, but NOT clicking on it. Most browsers will display the actual link in the bottom of the browser window.
• Lack of security: Most companies that deal in sensitive information use SSL (Secure Sockets Layer) protocol, created to protect consumers. Instead of using http:// to begin the Web address, you will see https://, usually along with another little feature in the address bar. Wells Fargo, for example, has a small red “WF” logo, while Bank of America shows a miniature of its logo. If you don’t see these things at a Web site you are told to click to, provide no personal information, and close the site right away.
• Impersonal verbiage: When you are told your account is about to be closed and the salutation is “dear customer,” never believe it. Simply visit delete the email and visit the legitimate Web site in question. If there are any problems with your account, you’ll find out quickly.