What is Phishing?
Further to the earlier article on tips on keeping the accounts secure , we are detailing a bit more about anti-phishing.
Phishing is a crime performed in the technology world where a users online identity is stolen by criminals by means of cheating the end user through email, phone message or fake websites. In a typical scenario, the attackers send emails to 1000’s of email addresses as if the email is originating from a Bank. It will have all the looks of an email coming from the Bank. The text of the email could be a bit scary like someone has accessed your account and need your authorization or it could be like there was a update in the system and you were asked to verify your account settings. The text would be supplemented with a link you will be asked to click; once you click the link it will take you to a web page which looks like your bank’s website. This will be a bogus site and has no connection to the bank other than the looks.
If the user enters the user name and password or any other credentials, it will be captured by the attacker. This captured information will be used by the attacker for logging into the accounts and performing transactions in your account.
Countermeasures & Anti-phishing
- Prevent such phishing emails reaching your email inbox. Top email service providers such as GMail and Yahoo are having good phishing email filters which will direct these phishing emails to the spam folders. If you are not using one of these popular email services, then suggest you to have an account with them.
- Phishing works only if you click on the link and then subsequently enter the login details. Never click on links in emails. Always enter the website address manually in the internet browser. Never click, yes, never click the links in the emails.
- In many cases, in addition to the link or in the absence of the link, there would be an attachment. Do not open these attachments as this could be another way of phishing the users. In this method, the attacker will try to install malicious software into the user’s computers. Contact the sender over the phone before you open these attachments and only open after verifying the authenticity.
- Install good anti-virus and anti-malware software
- Use latest versions of the web browsers. Firefox, Chrome and Internet Explorer has built in capabilities in detecting phishing sites. (I have personally not verified the capabilities of the other browsers). These browsers get feeds from various anti-phishing service providers and email filters. This would give you a good warning before you actually reach the phishing page
- Use common sense, is the email talks about emergency, urgency or does it ask for details like usernames, passwords, creadit card numbers, PIN etc… be suspicious and report it
- Use anti-phishing toolbars and tools like Web of Trust
- Regularly check your bank accounts and verify the balance and account of statements to ensure that the accounts are not compromised
You can find another set of tips from Anti-Phishing Working Group consumer advice page, which can found here
Anti-Phishing Tools you may use
Most of the anti-virus software’s includes phishing filters and provide protection from websites which are potentially malicious. A number of browser plug-ins provide potential anti-phishing and safebrowsing capabilities. You can find a list of Firefox browser extensions with anti-phishing capabilities can be found here.
Wikipedia list of Anti-Phishing software can be found here. An interesting study of various anti-phishing toolbar software by Yue Zhang, Serge Egelman, Lorrie Cranor, and Jason Hong of Carnegie Mellon University can be found here
The Login Helper blog has a useful flowchart developed to help people decide whether the email is a phishing email or a normal one.
The best tools is the human brain and as long as we use common sense that’s the best anti-phishing tool