12 Steps To Avoid Internet Phishing Scams
Published: Jun 24, 2005
By Steven Warren, MCSE, MCDBA
Some computer users (and even some IT professionals) have been confused about the definition of a phishing scam. What exactly is a phishing attack? A phishing attack is when you receive an official-looking e-mail from an online banking or financial institution—including eBay and PayPal, or any other service that deals with money. The e-mail states that you should click on a link and confirm your login and password for that particular institution (or enter your account number or credit card number).
As soon as you click on the link, you are sent to a Web page that looks remarkably similar to the company's real Web site, but it is not the company's real Web site. What happens is you are sent to a fake page that is controlled by the criminal who is behind the phishing scheme. As soon as you type your login/password, account information, or credit card number, the hackers capture the information and then steal your identity or money using your information. Below are 12 steps that users can take to keep from being victimized by phishing scams.
Avoid Phishing Scam Tip 1: Keep Antivirus Up To Date
One of the most important things you can do to avoid phishing attacks is to keep your antivirus software up to date because most antivirus vendors have signatures that protect against some common technology exploits. This can prevent things such as a Trojan disguising your Web address bar or mimicking an https secure link. If your antivirus software is not up to date, you are usually more susceptible to attacks that can hijack your Web browser and put you at risk for phishing attacks.
Avoid Phishing Scam Tip 2: Do Not Click On Hyperlinks In E-Mails
It is never a good idea to click on any hyperlink in an e-mail, especially from unknown sources. You never know where the link is going to really take you or whether it will trigger a malicious code. Some hyperlinks can take you to a fake HTML page that may try to scam you into typing sensitive information. If you really want to check out the link, manually retype it into a Web browser.
Avoid Phishing Scam Tip 3: Take Advantage Of Anti-Spam Software
Anti-spam software can help keep phishing attacks at a minimum. Many attacks come in the form of spam. By using anti-spam software, you can prevent most types of phishing attacks because the message will never end up in your mailbox.
Avoid Phishing Scam Tip 4: Verify HTTPS (SSL)
Whenever you are passing on sensitive information such as credit cards or bank information, make sure the address bar shows "https://" rather than just "http://" and that you have a secure lock icon at the bottom right hand corner of your Web browser. You can also double-click the lock to guarantee the third-party SSL certificate that provides the https service. Many types of attacks are not encrypted but mimic an encrypted page. Always look to make sure the Web page is truly encrypted.
Avoid Phishing Scam Tip 5: Use Anti-Spyware Software
Keep spyware down to a minimum by installing an active spyware solution and also scanning with a passive solution. If for some reason your browser is hijacked, anti-spyware software can often detect the problem and safely remove it.
Avoid Phishing Scam Tip 6: Get Educated
Educate yourself on how to prevent these types of attacks. A little research on the Internet may save you a great deal of pain if you are ever the victim of identity theft. You can report any suspicious activity to the FTC (in the U.S.). If you get spam that is phishing for information, forward it to firstname.lastname@example.org. You can also file a phishing complaint at the "www.ftc.gov" (Federal Trade Commission). Another great resource is the FTC's identity theft page to learn how to minimize your risk of damage for ID theft. Visit the FTC's spam page to learn other ways to avoid e-mail scams and deal with deceptive spam.
Avoid Phishing Scam Tip 7: Use The Microsoft Baseline Security Analyzer (MBSA)
You can use the MBSA to make sure all of your patches are up to date. You can download this free tool from Microsoft's web site. By keeping your computer patched, you will protect your system against know exploits in Internet Explorer and Outlook (and Outlook Express) that can be used in phishing attacks.
Avoid Phishing Scam Tip 8: Firewall
Use a desktop (software) and network (hardware) firewall. On the desktop, you can use a software firewall or use Microsoft's built-in software firewall in Windows XP. The incorporation of a firewall can also prevent malicious code from entering your computer and hijacking your browser.
Avoid Phishing Scam Tip 9: Use Backup System Images
Keep a backup copy or image of all systems in case of foul play. You can then revert back to a pure system state if you suspect that a phishing attack, spyware, or malware has compromised the system.
Avoid Phishing Scam Tip 10: Don't Enter Sensitive Or Financial Information Into Pop-Up Windows
A common phishing technique is to launch a bogus pop-up window when someone clicks on a link in a phishing e-mail message. This window may even be positioned directly over a window you trust. Even if the pop-up window looks official or claims to be secure, you should avoid entering sensitive information because there is no way to check the security certificate. Be sure to close pop-up windows by clicking on the X in the top-right corner. Clicking cancel may send you to another link or download malicious code.
Avoid Phishing Scam Tip 11: Secure The Host File
A hacker can compromise the hosts file on a desktop system and send a user to a fraudulent site. Configuring the host file to read-only may alleviate the problem, but complete protection will depend on having a good desktop firewall that protect against tampering by outside attackers and keep browsing safe.
Avoid Phishing Scam Tip 12: Protect Against DNS Pharming Attacks
This is a new type of phishing attack that doesn't spam you with e-mails but poisons your local DNS server to redirect your Web requests to a different Web site that looks similar to a company Web site (e.g. eBay or PayPal). For example, the user types in eBay's Web address but the poisoned DNS server redirects the user to a fraudulent site. This is what is considered new age phishing. This needs to be handled by an administrator who can use modern security techniques to lock down the company's DNS servers.
As the technologies get better and better, the people behind the phishing scams also become more devious. They now use pop-up windows, official logos, and mock-secure connections copied from actual Web sites.Tagged:
phishing, privacy protection, identity theft