CT Community Colleges - Information Security

Overview

Committees

ITPC

ISRAAC

ISPO Advisory Group

ISPO Working Groups

Report Incident

CCC Policies & Procedures

CT Community Colleges - Information Security - Identifying Phishing

What is Phishing?

As defined by webopedia, Phishing is "the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft."

What does a Phishing e-mail look like? View this s ample from the Anti-Phishing Working Group website to see what an actual Phishing e-mail looks like and what clues would have alerted you to the fact that this was not a real e-mail from a real bank.

How does Phishing work?

Phishing e-mails are out to do one thing: convince you to provide your personal information to them. They do this by sending emails that appear to be from a legitimate business (eBay, banks, credit card companies, PayPal, etc.) and contain links to forged websites that look very similar to the real business's website. If you were to enter personal or financial information at one of these forged web sites, you would be providing it directly to the criminals, not the actual business you thought you were contacting.

You may have received e-mails, like the above example, from organizations you don't even have an account with and have wondered why people would provide their credit card number to these organizations. The reason is that phishers don't care about the people that don't respond to their e-mail. Phishers send out hundreds of thousands of e-mails at a time, to people that may or may not have accounts at the organization they are falsely claiming to be. The scammers hope they happen to send their e-mail to people that ACTUALLY have an account at these businesses. If just 1% of the people respond to their e-mail - they consider it a successful scam!

"... we regret to inform you your eBay account could be suspended if you do not update your account information ..."

Think about it. If you do online banking at Southbury Bank and Trust and you get an e-mail from manager@southburybankandtrust.com, telling you that your account may have been used for fraudulent charges and they need you to log in to verify your customer identity, why wouldn't you? This is the reason that Phishing e-mails have become so popular for scammers. The more convincing they can make the e-mail, the better their chances are that you will click the link to go to their fake website.

"We are performing maintenance
and need you to confirm your identity..."

Once they convince you to click on the link in the e-mail, they send you to a fraudulent website that looks VERY CONVINCING! The scammers try very hard to convince you that you really are at the forged bank's website. The URL you clicked on looks real and the website looks just like the real one. They work very hard to make their fraudulent website appear to be the real thing, they may even link you to the original website to view their privacy policy!

If they can con you into believing that the website that you were sent to really is your bank, then you are just one step away from giving a scammer your credit card number! Don't be the next Phishing victim! The best way to protect yourself is to understand how to avoid Phishing scams as well as becoming familiar with what Phishing e-mails look like.

How to avoid Phishing scams

While online banking and e-commerce is safe, as a general rule you should be careful about giving out your personal financial information over the Internet. Use the following recommendations taken from from the Anti-Phishing Working Group to avoid being scammed by Phishing e-mails:

Be suspicious of any e-mail with urgent requests for personal financial information. Unless the e-mail is digitally signed, you can't be sure it wasn't forged or 'spoofed'. Phishers typically include upsetting or exciting (but false) statements in their e-mails to get people to react immediately. They typically ask for information such as usernames, passwords, credit card numbers, social security numbers, etc. Legitimate companies don’t ask for this information via e-mail. Phisher e-mails are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.

NEVER use the links in an e-mail to get to any web page. Instead, call the company on the telephone with a phone number you know to be genuine, or log onto the website directly by typing in the web address of your bank in the browser. Don’t cut and paste the link in the message!

Never click on an email link claiming to be from a CCC system administrator asking for your user name and password to a CCC system. We will NEVER ask you to provide personal information or account information via email.

There are two tricks that phishers use when presenting you with links inside an e-mail. The links they show you may be displayed as the real website but when you click on it, you are directed to a different website. For example, you may see the link as this: http://www.ebay.com, yet when you click on it, it will go to this website, which is NOT ebay's site: http://www.amazon.com. You can see for yourself how this works. Hover over the first link and look at the lower, left hand corner of your browser. You will see that it actually directs you to www.amazon.com and NOT www.ebay.com which you thought you were going to. They are banking on the fact that most people wouldn't even look at the URL they went to as long as the content of the website looks like what they expect!

Another method they use is to show a website that is similar enough to the real website to make you think that it is real. For example, the e-mail would contain a link to http://www.yourbankonline.com when your bank's real website is http://www.yourbank.com. Or you may see the IP address of a website in the link hoping you don't try to verify who that IP address actually belongs to. For example: http://321.321.321.321/yourbank/onlinebanking. As long as the content of the website looks like what you expect, you probably wouldn't think to verify the IP address.

Avoid filling out forms in e-mail messages that ask for personal financial information. e-mail is not a secure method of transmitting personal information. You should only communicate information such as credit card numbers or account information via a secure website or the telephone.

Never submit credit card information or social security information via http, always make sure you are using https (secure http). Always ensure that you're using a secure website when submitting credit card or other sensitive information via your web browser. To make sure you're on a secure web server, check the beginning of the address in your browser's address bar - it should be "https://" rather than just "http://". You also need to verify that there is the lock icon in the lower right hand corner of your browser window. NOTE: Even if the website begins with https, it still can be forged to appear to be secure (by showing https), when it is not secure because it does not have the lock icon.

Regularly log into your online accounts and your bank, credit and debit card statements. Ensure that you are familiar with your bank's online website content as well as URL. Ensure that all transactions on your statements are legitimate. If anything is suspicious, contact your bank and all card issuers.

Ensure that your browser is up to date and security patches are applied.

How to identify Phishing e-mails

Another way to avoid Phishing scams is to become accustomed to what Phishing e-mails look like. The Anti-Phishing Working Group has a great archive of submitted samples as well as great comments as to what makes it a "good" Phishing e-mail, (such as showing that it is an http link, where the genuine company's website uses https, etc.)

http://antiPhishing.org/Phishing_archive.html

If you've looked through the Phishing archive and still aren't sure about an e-mail you've received, you can e-mail it to security@commnet.edu (without clicking on the link in the e-mail first of course!) and we'll let you know.

Reporting Phishing e-mails

You can report Phishing e-mails to the following groups:

reporting to the Anti-Phishing Working Group can be done by following their steps: http://antiPhishing.org/report_Phishing.html
forward the e-mail to the Federal Trade Commission at spam@uce.gov
forward the e-mail to the "abuse" e-mail address at the company that is being spoofed (e.g. "abuse@ebay.com")
when forwarding spoofed messages, always include the entire original e-mail with its original header information intact
notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: http://www.ifccfbi.gov

What to do if you've given out your personal information

The Anti-Phishing Working Group already has information on what to do if you've been fooled by a Phishing e-mail and may have provided your personal information to a scammer. You can find out what your next steps should be by going to their link provided here:

http://antiPhishing.org/consumer_recs2.html