Information Technology News

Phishing Scams

When you think of fishing, an outdoor activity comes to mind. But, thanks to online spammers, the word has now become synonymous with a scheme that is neither fun nor relaxing.

Phishing, pronounced "fishing," is so named because computer spammers use fraudulent email messages to "fish" for information in an attempt to entice recipients into divulging personal data such as credit card or bank account numbers, Social Security numbers, and passwords. Once this information is in the hands of a "phisher," it can be exploited for financial gain or other malicious purposes.

Phishing On the Rise

Identity theft is the number one crime in the United States, and phishing is one of its fastest growing forms. Although this form of fraud is relatively new, its prevalence is exploding. For example, from November 2003 to May 2004, phishing attacks increased by 4000%.

Research shows that when people are shown a phishing email message, even after they've been told it's suspicious, 1 out of 10 are still fooled into acting on it. In a June 2004 report from the Gartner Group, the leading provider of research and analysis on the IT industry, a consumer survey revealed that 57 million Americans think they've received a phishing email and, more importantly, 1.8 million of those who reported receiving such an email said they responded, disclosing personal or financial information. Of this number, half became victims of some form of identity theft-related fraud.

Phishing Characteristics

What makes phishing so insidious and dangerous, and yet so compelling to many users, is the fact that phishing email messages usually appear to come from trusted sources, including very well known and established companies such as Citibank, eBay, Verizon, Amazon, Visa, Washington Mutual Bank, AT&T, and even Microsoft.

Spammers also send out phishing messages that appear to originate from company management or a colleague within your organization, and even U.S. government agencies have been listed in the "from" addresses of phishing email messages.

Another technique phishers employ to give the appearance of authenticity is to incorporate legitimate company graphics, layout, content, and Web links within their fraudulent messages. Messages appear credible, leading victims to take actions that seem reasonable in a business context, such as verifying personal, financial, or company information.

Differences Between Phishing and Spam Messages

Given phishing email is unsolicited, it is a form of spam. However, the differences between old-style spam and phishing email are critical. Old-style spammed email is often authentic, albeit a nuisance, promoting a real product or service, while phishing email messages are based on fraud and deceit. While spammers often seek attention through the use of their messages, phishers avoid attention, masquerading as a trusted source in order to get you to divulge information they can use for their own malicious purposes.

Top Ten Tricks Used in Phishing Emails

Phishing emails are designed to be difficult for recipients to recognize. Phishers know they must gain your trust before you will respond. Listed here are some common tricks phishers employ to make emails and Web sites look and act legitimate.

1. Phishing messages mimic reputable companies, such as Citibank, eBay, and PayPal, and can often include links to sections of a real company's Web site in order to fake authenticity.
2. Phishing messages appear to originate from a reputable company, but are often set to reply to a fraudulent address.
3. Phishers, in order to create a plausible premise so users will divulge their sensitive information, send official looking messages claiming that the recipient's account information is outdated, a credit card has expired, or the account has been randomly selected for verification.
4. Phishers usually don't have much time to collect information before their sites are shut down. As a consequence, their messages often claim that the recipient's account has expired and threaten to terminate the account if the recipient doesn't login through the link provided within the next 24 hours.
5. Phishing emails are designed to assure the recipient that the transaction being requested is secure and that their information will be kept private. Phishers sometimes include the TRUSTe symbol at the bottom of an email in order to promote the appearance of a message's legitimacy.
6. Phishing emails sometimes use forms within the message to harvest information.
7. Phishing messages often contain links to apparently legitimate but fraudulent Web sites from which recipient information is gathered.
8. Phishing messages sometimes fake a secure connection by using URLs beginning with https://, indicating that information is being sent over a secure connection.
9. Phishing messages often contain links to fake sites that can quickly process information provided by the victim as soon as it is submitted; e.g., credit card numbers run on the spot to ensure they are valid or that there are sufficient funds.
10. Phishers often attempt to buy time before their victims check on their accounts by indicating it will take a certain amount of time for their account to be updated.

Things You Can Do to Protect Yourself From Phishing Attacks

Educating yourself to the dangers of phishing is critical to preventing theft of your personal and financial information. Here's what you can do to avoid falling prey to these fraudulent schemes:

• Never respond directly to email requesting personal information.
• If you doubt a message's authenticity, verify it by contacting the institution itself.
• Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who they're from.
• Avoid filling out forms in email messages asking for personal financial information.
• Avoid spoofed sites by typing the URL directly into your browser's address bar yourself.
• When prompted for a password, give an incorrect one first. A phishing site will accept it; a legitimate one won't.
• Determine if a Web site is secure by looking at the bottom of your browser's window for an icon of an unbroken key or a lock that's closed, golden, or glowing. Double-clicking on the lock displays the site's certificate, which you can check to verify it matches the company you think you're connected to.
• Ensure your browser is up-to-date and security patches are applied regularly.
• Use up-to-date anti-virus software.
• Review your credit card and bank statements at least monthly.
• Forward fraudulent messages to the Federal Trade Commission at spam@uce.gov and the Anti-Phishing Working Group at reportphishing@antiphishing.org.

Other Information

Access to two informative articles on phishing is provided below:

1. Avoiding Social Engineering and Phishing Attacks by the Computer Emergency Readiness Team, a unit of the U.S. Department of Homeland Security
2. How Not to Get Hooked by a 'Phishing' Scam by the Federal Trade Commission, the nation's consumer protection agency

Also, since phishing is a form of spam, you may also be interested in the university's informational Web site on spam at www.uh.edu/infotech/spam.

If you'd like additional information or require assistance, you can contact your local IT support representative or the IT Support Center at 713-743-1411 or support@uh.edu.