Phishing is an attack form that is usually carried out by email. The term phishing is made up of the two words password and fishing which describes the basic concept. Attackers try to convince the user that the email has been send by a trusted organization. Most phishing emails fake emails from financial organizations like PayPal or banks but other services like social networking sites such as Facebook or MySpace are also targeted by phishers.
Links in those emails lead to fake websites that look like the original website. The only purpose of those fake websites is to catch the login data of the user who does not realize that the fake website is not the real one.
Web browsers and security software usually offer built in phishing protection. These rely heavily on user submissions which means that they protect well against known phishing sites and attacks but often fail when new phishing attacks emerge.
That is why computer users need to be able to identify phishing attacks. It is thankfully not that difficulty to identify them if the following basic rule set is followed:
- 1. Never click on links in emails. Phishing attacks make use of links to lure users to the fake websites. It is usually not a problem to enter the url manually to visit the site.
- 2. When in doubt do not react or contact support. There are two options when in doubt if an email is legit. Option one is to not react at all and archive the message while option 2 is to visit the website or service manually to contact the support to find out if the email is legit.
- 3. Do not open attachments. Email attachments are another form of phishing. Many attackers try to sneak malicious software onto the user’s computer system this way. Contact the sender first (not by replying to that email but by other means). Only open the attachment if the authenticity has been verified this way.
- 4. Do not use information in questionable emails, e.g. phone numbers or other means of contacting the service or organization as those can be fake as well.
Advanced Phishing Tips
- Email addresses can be faked easily. Attackers can basically use any email address in the world to send out their emails. This means that even if the email address looks legit it might be fake.
- Links are made up of an anchor and the link. The anchor is the text that is shown in the email while the link itself is only shown in the status bar of the email client or browser. Never assume that a link is legit because the anchor points to the right website. Always check the real link either by moving the mouse over the link and looking at the status bar or right-clicking the link and selecting properties.
- Make sure to double-check urls before typing in any personal information including login information. Make sure the website uses authentication (usually shown as https in the address bar. Look for a closed padlock icon in the web browser’s status bar. This is an indication of a legit site.
- Phishing emails usually do not address the recipient by name. They are also often written in different languages.
Further helpful links: