More information about phishing:
- Types of Phishing scams
- Phishing examples -- email and website
- Tabnabbing
- In-session phishing
- Symantec report on data breaches, May 2011-Aug 2012 (pdf)
3.6 million U.S. adults lost a total of 3.2 billion dollars due to phishing in 2007.
What is Phishing?
Phishing is a virtual attack in which a malicious user poses as an online business or service to obtain a person's confidential information – name and address, usernames and passwords, credit card or bank account numbers, etc.
Phishing attacks can occur in several different mediums: pop-up messages, fake emails, SMS messages, and fake websites, among others. (See Catching Phishers.)
According to a recent Gartner survey, 3.6 million U.S. adults lost a total of 3.2 billion dollars due to phishing in 2007 (McGrath). One reason phishing attacks are popular with malicious users is the ease of execution -- it's harder to hack into a system of secure information than it is to trick a victim into giving that information away.
Phishing Trends
In the past three years, hackers have become less interested in spamming all users of a company/domain and instead concentrate on high-profile targets (like company CEOs). This practice is also known as “whaling.” The objective is to swindle presumably well-paid upper-management professionals into sharing confidential company and personal information.
One positive trend is the decline of the phishing page uptime. “Uptime” is the length of time a web page (in this case, a scam page) is up and running. It is one of the key factors for phishing attack success: the longer the uptime, the more data a malicious user can collect. New scanning tools and more aggressive monitoring by domain providers both play a role in detecting and eliminating phishing scams, but hackers develop new techniques just as quickly.
How to protect yourself from phishing
|
Read emails in plain text format. |
|
This will make fake links more noticeable. |
|
|
|
Do not click on the links provided in the email. |
|
Instead, type the address by hand. |
|
|
|
Never send sensitive information, like passwords, to an organization. |
|
All legitimate organizations have mechanisms to work with your account without your password. |
|
|
|
Pay attention to SSL certificates. Don’t just click “OK.” |
|
|
This is currently a major issue. Browser developers and cyber security specialists have created tools (like SSL certificates) to notify users of security risks when visiting certain web pages. Most users click “OK” without reading warning messages. The Subject Common Name of the certificate has to match the hostname of the phishing site that returned it. If the certificate is expired or has been re-signed, be careful. |
|
|
Keep your computer up to date. |
|
|
New updates often patch known vulnerabilities in software. Also, tools like Secunia PSI (http://secunia.com/vulnerability_scanning/personal/) update insecure third-party programs on your computer and reduce their vulnerability to phishing attacks. |
Where to report phishing
- Forward messages to: phishing-report@us-cert.gov
- Report phishing pages here: http://www.google.com/safebrowsing/report_phish/
- Contact Anti-Phishing group: http://www.antiphishing.org/report_phishing.html