** Phishing

Phishing: What is it?

DEFINITION: 1. Phishing is a technique used to gain personal information for purposes of identity theft, using fraudulent e-mail messages that appear to come from legitimate businesses. These authentic-looking messages are designed to fool recipients into divulging personal data such as account numbers and passwords, credit card numbers and Social Security numbers.

2. One way to hook a fish is to use a lure so realistic that the fish thinks it’s food. Phishing on the Web works the same way. Thieves send an e-mail or instant message that masquerades as a message from a reputable company such as Citibank, eBay, or MSN.
Phishers can forge the sender's e-mail address and if you take the bait you could be putting your money and even your identity at risk.

Is phishing a NEW phenomenon?

Phishing isn't really new -- it's a type of scam that has been around for years and in fact predates computers. Malicious crackers did it over the phone for years and called it social engineering. What is new is its contemporary delivery vehicle -- spam and faked Web pages.

How phishing works:

The message capitalizes on your trust of a respected brand by enticing you to click a link that takes you to an equally convincing (and equally fake) Web page or pop-up window, which has been set up to imitate the legitimate business.

You’re asked to divulge such sensitive personal information as your Social Security number, a bank account or credit card number, a validation code, password, or personal identification number (PIN).

This fraud is disarming its ingenuity. Here are a few more potential examples:

Mail from a “bank” requesting verification of a charge for a hotel, a spoof so meticulous that it included bank logos and promises to safeguard privacy. The reader had only to click “STOP THIS PAYMENT” to visit an equally convincing page where they were asked to reveal account information needed to “deny payment.”

A mail from “MSN” informing readers that their MSN services would be “deactivated” if they didn’t confirm their identities at once.

An SMS from a "mobile company" requesting users to verify their age. As most age validation is done with a credit card, all credit card holders should be aware of any service asking for their details. If uncertain, users should call customer services.
In 2003 fake sites tricked almost 2 million people into revealing confidential information, putting at risk their financial status and credit rating.

Identifying warning signs:

Your best protection is caution. Here are some tell tale signs of a scam:

- Requests for personal information in an e-mail message. Most legitimate businesses will not ask for personal information in e-mail.

- Alarmist messages. Scammers will attempt to create a sense of urgency so you’ll respond without thinking.

- Misspellings and grammatical errors in the mail.

- A slightly altered Web address. Only close scrutiny would reveal the deceptive spelling. For example, www.microsoft.com could appear as www.micosoft.com, www.mircosoft.com, or www.mIcrosoft.com.

- If it sounds too good to be true, it's probably a hoax.

Protecting oneself from Phishing:

Though there’s no substitute for vigilance when giving out sensitive personal information. Following these 5 simple guidelines will reduce your chances of getting hooked by a scam.


1: Never give sensitive personal information in an e-mail, instant message, or pop-up window

Most legitimate and established businesses will not use these methods to ask for passwords, account or credit card numbers, or other confidential information. It’s easy for phishers to trick people—for example, by forging the “From” address of an e-mail message.


2: Be wary of clicking a link in a message or pop-up window

If you get an e-mail, instant message, or pop-up window that asks for personal information, do not click the link. Doing so could take you to a phoney site where any information you give may be sent to the scam artist who built it.

If you’re unsure whether a message is genuine, call the company using the number from a past statement or the phone book. To visit the Web site, type the address yourself or use your own bookmark.


3: Make sure the Web site protects your personal information and is legitimate before you enter anything

Phishers have ways of faking the address that is displayed. If you have even the slightest doubt about the site’s legitimacy, play it safe and leave.

Check for signs of data encryption, a security measure that helps protect sensitive data as it traverses the Internet. As shown in photo above, look for https (“s” for secure) in the Web address and for a tiny closed padlock or an unbroken key.
Check to make sure you are where you think you are. Unfortunately on some systems, the padlock (and key) can be faked, so double-click it to display the security certificate for the site (as shown below). Look for a match between the name on the certificate and in the address bar. If the name differs, you may be on a faked site.

4: Routinely review your financial statements

Check all credit card and bank statements monthly and regularly log in to any online accounts to make sure nothing is amiss.


5: Improve your computer's security

Phishers reply on you not applying the latest security fixes and may try to exploit vulnerabilities that haven’t been corrected.

Microsoft helps you use a firewall, install antivirus software and update it routinely, and keep your Windows and Office software up to date.

Taking action:

There is no substitute for vigilance as was stated earlier. Paying attention to valuable personal and financial information, will allow you to perhaps detect a scam from a genuine offer. At any rate, should you be ensnared by phishers, you should report it at once to any relevant body.