What is Phishing?
Phishing is the attempt by a malicious user to gain your sensitive or personal information online, including account numbers, addresses, phone numbers, and passwords, by posing as a trustworthy person or institution.
Phishing attacks can occur in several different mediums, including:- pop-up messages or warnings
- e-mails which appear to be from banks or other trusted institutions
- social networking sites
- SMS/text messages
- fake websites posing as banks, credit card companies, etc.
One reason phishing attacks are popular with malicious users is the ease of execution -- it's harder to hack into a system of secure information than it is to trick a victim into giving that information away. (See this page about Catching Phishers.)
Phishing Trends
According to Symantec, overall targeted attacks by phishers were up 42% in 2012 from the previous year. E-mail phishing scams went down 29%, as many scammers have figured out more sophisticated methods.
Often, hackers are less interested in spamming all users of a company/domain and instead concentrate on high-profile targets like company CEOs. The objective is to swindle presumably well-paid upper-management professionals into sharing confidential company and personal information. However, most phishing attacks are indiscriminate and can still happen to anyone, regardless of financial or professional status, and the results can be very costly (in both time and money).
How to Protect Yourself from Phishing
Keep your computer or mobile device's anti-virus and anti-malware software installed and up-to-date.
This software will help protect you from the threats that you can't see, including embedded viruses or malware. OTS has recommendations for free or inexpensive options. Also, tools like Secunia PSI can update insecure third-party programs on your computer and reduce their vulnerability to phishing attacks.
Verify URLs in emails which appear to be from trusted senders.
If in doubt, type the address yourself instead of clicking a link.
Before submitting sensitive information online (like credit card numbers when making a purchase), verify that the site is secure.
Look for "https" in the URL or an SSL certificate (which means that data is encrypted and therefore harder to intercept).
Pay attention to SSL certificates. Don't just click "OK."
This is currently a major issue. Browser developers and cyber security specialists have created tools (like SSL certificates) to notify users of security risks when visiting certain web pages. Most users click "OK" without reading warning messages. The Subject Common Name of the certificate has to match the hostname of the site that returned it. If the certificate is expired or has been re-signed, be careful.
Never send sensitive information, like passwords, to an organization.
OTS and other trustworthy organizations will never ask for your password, via e-mail or elsewhere -- they all have the ability to work with your account without your password.
If you're unsure about an email, follow up with the sender.
You can always call an institution (such as your bank) to verify that they tried to contact you.
Think You've Been a Target?
- Forward messages to: phishing-report@us-cert.gov
- Report phishing pages at: https://www.google.com/safebrowsing/report_phish/
- Contact the Anti-Phishing group: https://www.antiphishing.org
- Report phishing attempts:
If your sensitive information has been compromised by a phishing attack, see this guide on what to do next.