Phishing Attacks

Phishing11 attacks are conceptually very simple. First, set up a fake website for a financial institution (or some other site that deals in financial information). The website needs to look authentic enough that some people will be tricked into entering their login credentials (username and password). Then put together an email that includes a link to this fake website with some dire warning that will get people into an agitated frame of mind so they will click before they think. Once they get to the fake site and enter their credentials, you now have their account information. Cleaning them out financially is the easiest part.

Worldwide losses from phishing attacks were estimated to be over $1.8 billion in 2012 alone.12

Most phishing attacks appear to come from banks, payment services and retail services,3 but they may take any number of forms. The common thread is a link to a fake website and a desire to obtain usernames and passwords. Like spam ads, it doesn’t take many people clicking to make a phishing attack worth the effort. But also like spam ads, protecting oneself from phishing attacks is fairly straightforward.

Phishing attacks always include signs that give away the scam:14

  • The link in the email doesn’t actually go to your institution. Hovering your cursor over the link in the mail will display the web address. Of course, if you’re at all uncomfortable about how to read a URL, this may not provide ultimate protection. If you are comfortable reading URLs, you’ll see immediately what’s wrong with the linked address.
  • The email does not identify you by name. “Dear Valued Customer” is a dead giveaway. Real companies and banks know who you are and if they have some concern about your account, they will address you directly.
  • The logo or other information is obviously wrong, or not from your bank. This is a tip-off as long as you remember your bank’s logo.
  • The email text is poorly written or has goofy grammatical problems that your bank would never make.

A computer savvy user is going to spot a phishing email essentially all the time. What if you’re not that savvy? You are, of course, their target, so you need to know how to safely navigate this space. Some studies have shown that only about half of subjects were able to correctly identify a phishing attack email.

The most critical thing you can do to protect yourself form a phishing attack is to not rely on the link in the email. If you get a message saying your bank account is about to be closed (or some other equally distressing financial revelation), go to your bank’s website the way you always do (by typing the address yourself, or using a previous bookmark). You can even do it the old-fashioned way and call a customer service representative at your bank. The only way to get hooked by a phishing attack is to visit the fake site, and the only way to do that is by clicking on the link they provide you in the email.

11 The use of “ph” for “f” in hacking culture goes back at least as far as “phone phreaking” in the 1980s. Therefore “phishing” is “fishing” with a hacker’s twist.
12 “Phishing Kits—The Same Wolf, Just Different Sheep’s Clothing,” RSA Monthly Online Fraud Report (Feb. 2013), accessed Dec. 14, 2013.
13 “Phishing Activity Trends Report,” APWG (2012), accessed Dec. 14, 2013.
14 Adapted from and expanded on a list provided in: Steven Furnell, “Phishing: Can We Spot the Signs?” Computer Fraud & Security 2007, no. 3 (2007): 10-15.

Leave a Comment