Phishing Attacks
Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an
attempt to gather personal and financial information from recipients. Typically, the messages appear
to come from well-known and trustworthy Web sites. Web sites that are frequently spoofed by
phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. A phishing expedition,
like the fishing expedition it's named for, is a speculative venture: the phisher puts the lure hoping to
fool at least a few of the prey that encounter the bait.
Fraudsters send fake emails or set up fake web sites that mimic Yahoo!'s sign-in pages (or the sign-in
pages of other trusted companies, such as eBay or PayPal) to trick you into disclosing your user name
and password. This practice is sometimes referred to as "phishing" — a play on the word "fishing"
— because the fraudster is fishing for your private account information. Typically, fraudsters try to
trick you into providing your user name and password so that they can gain access to an online
account. Once they gain access, they can use your personal information to commit identity theft,
charge your credit cards, empty your bank accounts, read your email, and lock you out of your online
account by changing your password.
If you receive an email (or instant message) from someone you don't know directing you to sign in to a
website, be careful! You may have received a phishing email with links to a phishing website. A
phishing website (sometimes called a "spoofed" site) tries to steal your account password or other
confidential information by tricking you into believing you're on a legitimate website. You could even
land on a phishing site by mistyping a URL (web address).
Is that website legitimate? Don't be fooled by a site that looks real. It's easy for phishers to createwebsites that look like the genuine article, complete with the logo and other graphics of a trusted
website.
Important: If you're at all unsure about a website, do not sign in. The safest thing to do is to close and
then reopen your browser, and then type the URL into your browser's URL bar. Typing the correct
URL is the best way to be sure you're not redirected to a spoofed site.
Signs you May have Received a Phishing Email
If you receive an email from a web site or company urging you to provide confidential information,
such as a password or Social Security number, you might be the target of a phishing scam. The tips
below can help you avoid being taken in by phishers.
Unofficial "From" address
Look out for a sender's email address that is similar to, but not the same as, a company's official
email address. Fraudsters often sign up for free email accounts with company names in them (such as
"ysmallbusiness@yahoo.com"). These email addresses are meant to fool you. Official email from
Yahoo! always comes from an "@yahoo-inc.com" email address.
Urgent action required
Fraudsters often include urgent "calls to action" to try to get you to react immediately. Be wary of
emails containing phrases like "your account will be closed," "your account has been compromised,"
or "urgent action required." The fraudster is taking advantage of your concern to trick you into
providing confidential information.
Generic greeting
Fraudsters often send thousands of phishing emails at one time. They may have your email address,
but they seldom have your name. Be skeptical of an email sent with a generic greeting such as "Dear
Customer" or "Dear Member".
Link to a fake web site
To trick you into disclosing your user name and password, fraudsters often include a link to a fake
web site that looks like (sometimes exactly like) the sign-in page of a legitimate web site. Just
because a site includes a company's logo or looks like the real page doesn't mean it is! Logos and the
appearance of legitimate web sites are easy to copy. In the email, look out for:
Links containing an official company name, but in the wrong location. For example:
"https://www.yahoo.com is a fake address that doesn't go to a real Yahoo! web site. A real Yahoo!
web address has a forward slash ("/") after "yahoo.com" — for example, "https://www.yahoo.com/"
or "https://login.yahoo.com/."
Legitimate links mixed with fake links
Fraudsters sometimes include authentic links in their spoof pages, such as to the genuine privacy
policy and terms of service pages for the site they're mimicking. These authentic links are mixed inwith links to a fake phishing web site in order to make the spoof site appear more realistic.
- And look for these other indicators that an email might not be trustworthy:
- Spelling errors, poor grammar, or inferior graphics.
- Requests for personal information such as your password, Social Security number,or bank account or credit card number. Legitimate companies will never ask you toverify or provide confidential information in an unsolicited email.
- Attachments (which might contain viruses or keystroke loggers, which record whatyou type).
Signs you May be on a Phishing Site
Phishers are becoming more and more sophisticated in designing their phony websites, follow these
steps if you think you’ve been phished. There's no surefire way to know if you're on a phishing site,
but here are some hints that can help you distinguish a real website from a phishing site:
Check the Web address
Just because the address looks OK, don't assume you're on a legitimate site. Look in your browser's
URL bar for these signs that you may be on a phishing site:
- Incorrect company name. Often the web address of a phishing site looks correct but actually contains a common misspelling of the company name or a character orsymbol before or after the company name. Look for tricks such as substituting the number "1" for the letter "l" in a Web address (for example, www.paypa1.com instead of www.paypal.com).
- "http://" at the start of the address on Yahoo sign-in pages. A legitimate Yahoo sign-in page address starts with "https://" ― the letter "s" must be included. So check the website address for any Yahoo sign-in page.A missing forward slash. To verify that you're on a legitimate Yahoo site, make sure a forward slash ( / ) appears after "yahoo.com" in the URL bar, for example,"https://www.yahoo.com” is a fake website address.
Be leery of pop-ups
Be careful if you're sent to a website that immediately displays a pop-up window asking you to enter
your username and password. Phishing scams may direct you to a legitimate website and then use a
pop-up to gain your account information.
Give a fake password
If you not sure if a site is authentic, don't use your real password to sign in. If you enter a fake
password and appear to be signed in, you're likely on a phishing site. Do not enter any more
information; close your browser. Keep in mind, though, that some phishing sites automatically display
an error message regardless of the password you enter. So, just because your fake password is
rejected, don't assume the site is legitimate.
Use a Web browser with antiphishing detectionInternet Explorer, Mozilla Firefox, Web browsers have free add-ons (or "plug-ins") that can help you
detect phishing sites.
Be wary of other methods to identify a legitimate site
Some methods used to indicate a safe site can't always be trusted. A small unbroken key or locked
padlock at the left of the URL bar of your browser is not a reliable indicator of a legitimate website.
Just because there's a key or lock and the security certificate looks authentic, don't assume the site is
legitimate.
No comments:
Post a Comment