Avoid Phishing and Identity Theft

Phishing has emerged as one of the most potent forms of mass identity theft, and has proven to be a very effective way to trick sometimes millions of users at a time into revealing confidential information that can then be used to steal their identities.

Phishing attacks usually start as an email from what appears to be a legitimate and well known company, often a bank or credit card company. In most cases the email will claim that the company is either verifying or updating account information, or conducting a security exercise, and in order to do so requires you to verify your username and password information to keep your account up-to-date.

The email often includes a veiled threat — for example, if you don't respond immediately your account will be closed in 24 hours or something similar. The email will then usually have a link to a bogus website or may even have a HTML form built into it, so you can enter your information without visiting a website. This kind of attack is also known as "brand spoofing" where the emails and the websites look identical to the websites of well-known brands, and every month an estimated 150 established companies or brands have their brands hijacked by hackers and identity thieves according to the Anti-Phishing Working Group (APWG).

Phishing is like an epidemic within an epidemic. As a very effective identity theft tactic, it's estimated that organized crime gangs send out more than eight billion phishing emails every single month.

So Why Go Phishing?

Why would professional hackers and crime gangs invest so much effort in swamping consumers with so many bogus emails? Because it works. A study by Gartner Research found that an estimated 3.2 million Americans fell for phishing scams, losing between them a staggering $3.6 billion.

Phishing schemes can also involve the use of convincing bogus emails to attract users to a loaded website. "Loaded" means the website is not only a fake site that's trying to trick users into revealing some confidential information like a credit card number, but the link to the website is also infected with a worm or virus that adds some extra punch, and helps to spread the infected phishing mail to thousands of other users. Security experts call these "blended attacks," where two or more attacks are blended together for maximum impact.

Of course, when the first phishing expeditions appeared they were very easy to spot. For one thing the emails were fairly crude, and the very poor spelling and grammar were usually enough to expose the fraudulent emails. But today the emails and websites are much more sophisticated, using realistic graphics, logos, and marketing language you'd expect from a professional company. And unfortunately that's going to make these attacks increasingly hard to detect.

What we have learned from these kinds of attacks is that identity thieves are constantly adjusting and improving their attacks, and always with the focus on getting into our comfort zone where we trust the party sending us the email because we think we know them. It's just another example of getting inside the minds of victims and luring them into familiar territory where a theft is easiest.

So Why Does Phishing Work?

Mainly because of poor consumer education and lack of awareness. According to a study by Harvard University and UC Berkeley called "Why Phishing Works," 90% of subjects in the study were unable to pick out a highly effective phishing email when simply judging whether or not it was genuine.

Using a spoofed Bank Of the West email with phishing website www.bankofthevvest.com (with a double "v" instead of "w"), a padlock in the content, spoofed VeriSign logo, a bogus certificate validation seal, and a pop-up consumer security alert, 91% of participants guessed it was legitimate.

And when presented with a genuine E*Trade email that directed recipients to a legitimate secure site with a simple, graphic-free design optimized for mobile browsers, 77 percent of participants guessed it to be a fake. And nearly a quarter of participants in the research study didn't look at the address bar, status bar or security indicators on the phishing sites.

Related Terms

Pharming is a term used to describe a type of attack that uses bogus websites with Web addresses very similar to legitimate websites. These sites usually lie in wait for unwary users to stumble across them, or mistype a url or Web address, and then submit sensitive information in the belief they are on a legitimate website. In any one month there are an estimated 15,000 live phishing or pharming websites online just waiting to trap careless surfers.

Vishing or Phowning refers to a more sinister and personal form of phishing that uses phone calls, often just pre-recorded, to trick users into revealing sensitive information. The calls can often purport to come from the IRS or your bank, threatening legal action for unpaid taxes or checks, or from a local court threatening an arrest warrant for failure to appear for jury duty. The scams often use sophisticated interactive voice response systems to sound like they're legitimate.

Spear Phishing is a form of phishing that personally targets victims by using personal information about the user to build trust. This attack can be as simple as using the victim's first name in a phishing email, to phone callers that already know the victim's home address or employer.

So How Can You Avoid Being Phished?

  • Just Say No! Phishing is probably unique amongst crimes because of one major difference. In order to be successful phishing requires the victim to be a willing, albeit unwitting participant. You, the target, need to respond to the phisher's request to hand over your personal information, through an email, a website, or a phone call. If you don't cooperate, the crime can't happen.
  • Never provide confidential, personal, or security information in response to any email. If the email claims to be from a financial institution you have an account with, call the institution directly using the customer service number listed on their website.
  • Teach all family members to be wary of such emails — it only takes one unsuspecting user.
  • Be very careful when typing in the url or Web address of important websites like your bank or credit card company. Many bogus phishing or "pharming" websites lie in wait for users to make the mistake of mistyping a Web address and revealing sensitive information to what they think is their bank or ISP.
  • Don't reveal any confidential information to phone callers, even if they claim to be from your bank, the IRS or any other organization. No such organization would ever request such information without first proving that they are legitimate.
  • Minimize the amount of personal information you make available, especially in online communities like LinkedIn, MySpace, Facebook, and Twitter, as well as job hunting resume sites. Thieves can steal this information to create very personal and targeted emails that can be very convincing.
  • Be extra vigilant for phishing emails around major events, like elections and natural tragedies. Phishers can exploit the media attention to create very real looking pleas for help or support.

Information obtained from the National Foundation for Credit Counseling.