Phishing (pronounced as “fishing”) is a social engineering technique that is used for contacting individuals or businesses, in an attempt to obtain information such as credit card numbers or bank account passwords and other details.
The information acquired is usually used to commit identity theft or financial fraud. The messages appear to be legitimate and are delivered by electronic communication in the form of e-mail and text messages. These messages can be sent to a general audience or can target a specific person. The message can look as if it has been sent by a trustworthy source such as bank that you do business with regularly, tech support departments, a credit card company, a Human Resources Department, or from friends on social networking sites.An example of this is a recent email distributed as a LogMeIn Security Update.
In the case of a specific target, the attacker is usually already aware of the name, address, and other credentials of the victim. This is called Spear Phishing. In both general Phishing and Spear Phishing the phish may be either in the message, or the message will request that the victim click on an attachment or a link contained within the body of the correspondence as in the example above.
Similar to Spear Phishing is Whaling. This form of Phishing is used to target upper level corporate management in an attempt to obtain restricted internal information. As in Spear Phishing, the attacker is familiar with the target.
Vishing, a combination of "voice" and phishing, also called "VoIP phishing," is the voice counterpart to phishing. Instead of being directed by e-mail to a Web site, an e-mail message asks the user to make a telephone call. Criminals set up an automated dialing call people in a particular region or area code. This technique uses forged area codes and names of the financial institution, organization or business.
Smishing uses SMS texts to a mobile phone to initiate the scam. If a victim logs onto one of the fake websites with a smartphone, they could also end up downloading malicious code that could give criminals access to anything on the phone.
What to Look For
* Is your name missing, or does the message appear to be sent as a generic mass mailing?
* Is the message requesting personal information?
* Phishers are getting better at writing realistic copies of legitimate looking business correspondence. However, does the message contain typos or grammatical errors?
* Is the URL in an email’s link suspicious? When rolling your mouse over a link and looking at the bottom left corner of the email client's window, is the actual address represented in the link where you really intend to go?
* Does the message convey a sense of urgency, threats, warnings, or alerts? Example: “There is a problem with your account. Click this link to re-activate your locked account.”
How to Protect Yourself
* Do not respond to unsolicited e-mails, texts, or phone calls.
* Keep a regular check on accounts, and use a different password for each account. Using a Password Manager is a good idea.
* If you are suspicious about a request made of you, go straight to the official website of the company in question (not the link provided in the email), to log into the account – or call them. If you want to go to a business website, type its URL directly into your browser’s address bar.
* Make sure any web site requesting personal information is secure. Look at the browser address bar to see that the URL (link) begins with "https". The "s" stands for secure. Information entered is encrypted.. If “https”, does not show, it is not a secure site. Do not proceed. As an alternative right-click on the link to select Copy, and Paste see that the URL (link) begins with "https". The "s" stands for secure. Information entered is encrypted.. Paste the URL's text into a blank notepad so you can analyze the link further.
Use good defense. Protect your email by making sure anti-virus software, firewalls, and email spam filters are up-to-date. Review your credit card and bank account statements regularly so that you can quickly notice illegal activity on your accounts. Check with your credit card companies to see what type of credit card theft protection is available.
Finally, if you receive spam that is phishing for information, send it to email@example.com and to the company, bank, or organization impersonated in the phishing email. If a local business is mentioned, notifying your local law enforcement is advisable. Most organizations have information on their websites regarding how and where to report issues. If you believe you've been scammed, file a complaint at ftc.gov, and visit the FTC's Identity Theft website at www.consumer.gov/idtheft. In addition, there are online groups with forums for reporting and discussing phish attempts.