14 DAY TRIAL // It has been a while now since phishing became the trendiest online threat. Although there have been taken measures against this type of scam, there are still plenty of victims out there. The bad part is that the victim cannot blame anyone but him/herself for the theft. Authorities are doing their best in catching the perpetrators and reducing the number of attacks, but in the end, it all resumes to the users' observation skills.
For a better understanding of the phishing phenomenon, think of it as a transition of street mugging to digital world. However, the difference is that on the street the victim is followed around until the right time for sucking its money comes. With phishing the attackers simply create a replica of your personal bank's website or even web mail (and in the most fortunate cases it isn't a good one at all) and wait for you to fall into the trap.
The victim is redirected to the trap via email. The email generally brings to attention that the information provided should be updated because of some reason. The email will seem legitimate enough for the victim so s/he'll proceed to accessing the link to the trap. Once all the forms have been completed and sent, the scam is complete. All the data is actually sent to the attacker who can login with your details and make financial transfers to whatever account.
Today's progress can actually protect you quite successfully against phishing attacks. Web browsers have strengthened their skills in detecting phishing web sites. Firefox and Opera are highly reliable in this sense and - unlike version 6 - IE7 makes a good companion in detecting fake websites. But regardless of their abilities, these are not 100% reliable (it is impossible with the dynamics of new phishing sites emerging on the market). So in the end it all depends on your observation skills in separating the fake from the authentic.
What can you do?
As attackers send emails with links to the spoof websites, you should always check on their validity. First of all, take a look at the link. If your bank were to send you a message, it would not obfuscate any links. But don't be fooled by the appearances and proceed to copying the link's shortcut into a text editor for analysis. Or, if that's too much of an effort, simply click on it and analyze it directly in your web browser.
Crude phishing scams will provide a link that does not resemble at all the authentic page (different domain or sub-domain or simply an IP address). More elaborate hoaxes will make the address almost exactly as it is on the original page, but some of the letters will be mixed up (huamn mnid raeds the etnire wrod, not ltteer by ltteer). In this case, your attention should be directed to other clues found in the page.
From what I have seen, the attackers are not that well educated (no time for school with all the phishing and money spending) and most often than not they'll make a mistake which can be detected by a keen eye. Most phishing sites are filled with spelling mistakes and grammatical errors. And sometimes duplicating the banks or financial service's logo is not always a success.
Grammar and spelling mistakes are also a commonality on fake websites. So reading all the sections of the page could help you discover if the page is legitimate or not.
Another way to identify a phishing website is to take a look at the fields that need to be filled in. Do they include some information the bank told you that you would never be asked to reveal? PINs for instance should not be revealed under any circumstance. Even if the company generating them can change them at will, they are not able to find it out. Plus, they gave it to you in a sealed envelope for a reason.
The more elaborate scams include sophisticated replicas of the original, complete with graphics from the authentic website and pop-ups. They can even display tax-free phone numbers to call for information. Do you think it is a legitimate clerk at the other end? In this case, it is better to take a look at the fields you have to fill in. Could someone take your identity if s/he had that information?
The conclusion is that you should know better than sending you personal information via email. I never heard of a company asking you to send your social security number, mother's maiden name or credit card information in an email.
In order to test your skills in detecting a phish, I have selected four tests for you. I encountered them on the Internet and even if some of them are older, they still provide good verification of your attention. The email tests are extremely mischievous and I have to admit that I have failed quite a few of them.
For all the tests you will be given the answers. Don't worry if you're not too good at some of them. This should only improve the acuteness of your observation skills and make you more careful with giving away sensitive information.
Photo Gallery (3 Images)
