That is one nasty looking fish! Yet, it operates very similarly to how phishing scam authors work. Phishing email has been around for quite some time and it seems as if the problem is growing bigger and bigger every year. One of the main reason is due to the fact that the attack does not focus on hacking some computer or machine but rather focusing on the computer users themselves. Yes you read that right. A human can be hacked as well! Although probably not how you’re thinking of it at first, after reading about phishing emails, you’ll know exactly what I mean.
I’ve mentioned this before but it’s worth mentioning again here and again in the future. As more and more popular something gets, the more and more attackers will target it. Why do you think the Microsoft Windows operating system gets more vulnerabilities when compared to Linux or Apple’s? Why is it that Tweeter and Facebook are a more preferable platform for attackers than other smaller social networking sites? Why is it that hackers focus more on exploiting Internet Explorer than on Opera or Chrome? It’s easy. They are more popular and therefore, have the larger user base which therefore, will yield better results. However, don’t believe that those apps are the only threats. Online services can get it as well and one of the most used online services today are being taken advantage of by scammers wanting to make a quick buck. Ladies and gentleman, I present to you, email!
The Weakest Link
If you received a email right now claiming to be your bank telling you that ‘something’ is wrong with your account and asked you to immediately login to the website by clicking on the provided link, would you do it? Yes? No? Maybe? What if the email looked completely legitimate, includes logos of your bank and it just has that ‘professional’ look and feel to it? Would you do it then? If you said no, then congratulations, you have just defeated what is called a phishing email scam. But wait, what about your parents or other siblings and friends? Would they click on it and provide/give their private log on credentials to the scammers? Sadly to say, phishing email has a pretty decent rate of success as most users are not aware of scams such as these.
Phishing emails are scam emails sent by phishers (the attackers) in hopes of ‘luring’ potential victims into their bogus website and providing some type of personal information. These could be your social security numbers, credit card numbers and username’s and passwords. This trick only works if the phisher can manipulate you into clicking on one of their bogus links. This might not work on security conscience users but the same can’t be said about your grandma or parents who don’t know anything about computer security and so this is where these scammers make their money. The sad part is the users don’t even know about it until it’s too late to do anything about it (empty bank accounts). And even then, they probably wouldn’t even have guessed that two months earlier, by providing their banking credentials to a bogus website, was the reason behind everything.
These types of attacks are labeled as social engineering attacks in that rather than attacking complicated computer systems to gain the desired information, they simply attack the weakest link, the human behind the computer screen. Think about it. If I’m an attacker, why would I spend all my time and effort trying to break into some high tech computer system in hopes of obtaining your credit card number when I can simply just ‘ask’ for it? Social engineering attacks can be hard to prevent because it’s not a technical problem. You can’t simply just head into your local computer store and purchase a product for X amount of dollars to prevent it from happening. The problem with so many companies today is that some of them actually believe if there is a problem somewhere, then simply spend X amount of dollars to purchase some equipment and call it a day. In today’s digital world, that simply doesn’t cut it anymore. We need to spend more time actually training the end users to be more aware of such social engineering attacks and report it if they spot one immediately.
Phishing Emails
Phishers operate in a similar fashion to angler fishes. They setup an attracting lure, wait for some users to fall in their trap and then quickly go for the kill. Phishing emails isn’t just limited in pretending to be from your financial banking companies. They come in all sorts and types. In fact have you ever received a email telling you how some random died and have a truckload of money for you to inherit as long as you provide them with your credit card number? Yups, you guessed it. That is another popular phishing email type. How about those emails claiming to allow you to see some pornographic material as long as you install a plugin in on the website provided in the link? These are all examples of phishing emails. Although social engineering attacks extend beyond just phishing emails, it is beyond the scope of this article to discuss the many facets of it. If you are interested in knowing more, I highly suggest reading two awesome books written by notorious hacker Kevin Mitnick titled ‘The Art of Deception‘ and ‘The Art of Intrustion‘. Even if you don’t manage computers for a living, I promise you that these books will entertain you. Besides, wouldn’t you like to know how he gained confidential passwords and data from big shot companies all without stepping foot inside their building?
Here are a couple of examples of how actual phishing emails might look like:
The Problems with Phishing Emails
Phishing emails in the past were easily spotted by basically anyone who passed their high school English classes. The emails were horribly crafted with many spelling and grammatical errors. Also, there weren’t any authentic looking company logos in the email. Basically, it didn’t look ‘professional’ and that led the reader into having second thoughts about whether or not the email actually did come from a legitimate source or not. Remember, the main goal of the phisher is to get the user to believe in the purpose of the email and ultimately, get them to click on a bogus link somewhere in the email that will lead them to a bogus website owned by the phishers themselves. Unfortunately, phishers have grown more wise over the years and can now produce professional looking emails that even some security experts have a hard time distinguishing between the real and the fake just from appearance wise. One of the only ways to distinguish them is by looking at the real URL at the bottom of your browser when you hover your mouse over the URL link.
You’re probably now wondering what actually happens if someone does fall victim to the scam. First, they of course, receive the bogus email. Once they believe the legitimacy of the email, they will click on the bogus link provided by the scammers. The link will lead them to a bogus site maintained by the phishers. It is the phisher’s job to make the site look as professional as possible or even match as close as possible to the real site it claims to be in order to not arose any suspicion. The site will ask the victim to type in some personal information. Once the victim hits the submit button, a couple of things could happen. Remember, this is a bogus site so there is no way that the phishers can actually log the user in to their real financial account. Therefore, the phisher will sometimes either present the user with the ‘Your account username and password did not match’ or ‘Server overload, please try again later’ phrase over and over again or it will actually take the user to their real banking website where they have to type in the information once again. Although the user might get a little suspicious, they will usually provide the information again thinking it was just a technical error. This time they will successfully log in to their real account but little did they know that the damage has already been done. Once the user submitted the information on the bogus website, that information will be immediately sent to and stored on the phisher’s own server, ready for them to retrieve at any time. Say goodbye to your credit score.
What Makes Phishing Emails Effective
As mentioned earlier, social engineering attacks, which phishing emails are a part of, prey not on computers with complex firewalls or exploits but rather on the human mind. Emotions and human behaviors play a big part in the success of these types of attacks. Take the emotion fear for example. If someone received an email stating that their bank account will be closed if they do not verify it immediately, the user will more likely act upon it for ‘fear’ of the account actually closing down. How about human kindness? Phishers are the scum of the earth and they stop at nothing if they can make some money out of the situation. Many phishers have taken advantage of real world wide tragedies and events in hopes of luring in more victims. Such examples include the recent passing of Michael Jackson in which it led users to install some malicious plugin in hopes of viewing some secret video of the pop-star to when natural disasters strike in hopes of duping users into donating money in what they think is the Red Cross or some other charity organization. As you can see, all of these play on the human factor and installing firewalls, antivirus and spyware software have no benefits whatsoever.
Another reason why phishing scams work is due to how phishers mask URL links in the email. Which URL do you think will have better success of getting users to click on them in a scam email: WWWW.SUPERSCAM.CHASE.COM or WWW.CHASE.COM/LOGON? Obviously the second is the more professional looking one, however, with how HTML works, it’s super easy for scammers to hide the real link under the displayed link. For example, I could tell you that clicking on the this link will take you to Google’s homepage, www.google.com. In reality, if you clicked on it, it will take you to Microsoft’s homepage. A simple trick like this goes a long way into tricking the most casual of users. Again, it’s human nature that when we see a link being displayed, we immediately believe that it is ‘suppose’ to take us to the intended site it has displayed. Therefore, without even glancing at the real URL destination, most users will immediately just click on it and fall victims to the scam. To simply defeat this trickery, hover your mouse over the displayed URL link and the ‘real’ link will show up at the bottom of your browser.
Combating Phishing Emails
There are many ways to combat phishing emails and not fall victim. For one, use common sense! If an email sounds too good to be true, its most likely fake. You didn’t honestly believed you won a million dollars from doing nothing, did you?
There are five main rules when combating phishing scams from emails. These five rules I have taken from the awesome book called Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft by Markus Jakobsson and Steven Myers, page 261-262. I will go over them here, word for word.
Rule 1: Don’t click on Email Links
Consumers are told that email containing clickable links is a sure sign of a scam. Financial institutions regularly inform their customers that they will never send such emails, and that the consumer should never click on a link in an email. In some cases, it is particularly emphasized that asking for credentials such as login information on a page reached via a clickable link is something only a phisher would do.
Rule 2: Don’t Believe Strident Calls to Action
Phishing messages often include an urgent call to action, informing the consumer that his or her account has been suspended or compromised by hackers, or that other unpleasant consequences will result from failure to provide confidential information to the phisher. Consumers are often informed that such calls to action are fraudulent, as a legitimate business would never send such critical information via email.
Rule 3: Don’t Click on Suspicious Links
Phishing messages often include suspicious links. Such links may appear to be a URL but actually refer to a different destination URL, may be very long and confusingly encoded, or otherwise difficult to decipher. Knowing that many legitimate emails violate rule 1 by including clickable links, advanced users are told they can differentiate between phishing and legitimate email by examining the links and deciding whether they look legitimate. This is based on the theory that legitimate email will have honestly represented legitimate-looking links.
Rule 4: Only Enter Information on the Expected Site
Consumers are told to look carefully at a domain name and ensure that they are at the right place, a site belonging to the company with which they have a relationship. According to this rule, they should enter credentials that belong to the expected site only after so checking. Phishers normally do not have access to the website of a legitimate company, and therefore it is considered a strong anti-phishing measure to ensure that information is not entered on a potentially spoofed site that does not have the expected site name.
Rule 5: Check for the Lock Icon, and Only Enter Confidential Information Using a Valid SSL Session
Phishers normally ask for confidential information on a web page that has not been secured with SSL, so there is no authentication of the site identity and no guarantee of privacy for the transmitted information. Consumers are told that legitimate sites will always use SSL for confidential information, so checking for the presence of a lock icon will ensure that information is not compromised. On top of the check for the lock icon, a consumer may be asked by the browser to verify that a certificate being used to establish the SSL connection is valid, and should do so when needed.
It’s glad to know that the industry also isn’t taking phishing scams lightly. Both updated versions of Internet Explorer and Firefox have strong built-in anti-phishing detection capabilities. If you somehow do land on a phishing website on their blacklist, you will see a big red warning. Please do not take this as a joke!
Another very effective tool to combat phishing scams is by utilizing a browser feature called URL highlighting. Whenever you visit a webpage, the domain name is highlighted. One of the main deceptions when dealing with phishing scams is mascarated and almost impossible to decipher web addresses. For example, if you are expected to be at your banks website but the domain being highlighted doesn’t have anything to do with it, then you’ll know something is wrong. Internet Explorer 8 already has this feature built in. For Firefox, simply download and install the LocationBar add-on to utilize the feature.
It is of utmost importance that everyone who wishes to protect their identity and financial information to learn something about phishing scams. While they don’t necessarily need to read a whole book about how phishing works, they need to understand that it is a growing threat and they could be a victim without even knowing about it. Education and general awareness is one of the best methods of combating this problem because believe me, phishing emails will not stop anytime soon. With ‘spear-phishing’ scams (phishing emails that actually pretend to be companies you deal with in real life) on the rise, it is even more imperative that you do not fall for the trick.
Consider Also Reading...
Easily Remove the Latest Malware Threats!Malware, spyware, viruses, trojan horses, scareware, worms, rootkits, oh my! You've most likely heard of all or some those ... 
Yet Another Microsoft Malware Scanning ToolWhen cleaning computers for malware and the likes, I usually like to hunt for the big fishes first and ... 
October is National Cyber Security Month!Yups, cyber security is such a big deal that it actually has its own month of the year dedicated ... 
How-To Filter Websites On Your Network!The Internet has to be one of the biggest and fastest growing phenomenon ever witnessed. Yet the bigger it ... 
Rogue Antivirus MalwaresShame on me. It has taken me this long to write an article on one of the most plaguing ... 
Loading ...
Listen to my latest posts! 
The Ultimate PC Troubleshooting CD
Restricting Amount of Log On Hours Per Day
Mobilize your WordPress Blog in Minutes
Using F.lux to Better Work at Night
Kindle Fire In-Depth Review
Recent Comments
January 29, 2012
January 28, 2012
January 26, 2012
Archive
Category
Amazon Backups Blogging Book Highlight Browsers Computer Talk Did You Know? Emails Firefox Addon Freewares Google Group Policy Hard Drive Hardware Reviews Hardwares How-To iPhone Linux Malware Misc. Tips & Tricks Miscellaneous Multimedia Networking Online Service Productivity Security Troubleshooting Virtualization Window 7 Windows 8 WordPress
Advertisement
Support
quotes Simon likes