Phishing refers to the technique used by criminal elements to “fish” for personal information by pretending to send official E-mails.
Wikipedia describes it as “In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.”
I am sure that many of you have received official looking emails from eBay, PayPal or your online bank and some may have either inadvertently clicked on a link in the email or responded to it. This posting was prompted by the most recent phishing attempt – an email from email@example.com sent to some of the Wesleyan users on Feb 26, 2008 asking them to respond with their password. As soon as we found out about this, we took the necessary actions, such as blocking further emails from the computer that was sending these messages and informing our users not to respond to it.
There are excellent resources that provide advice on how to avoid phishing attacks and we provide links to a few of them below. Please take a few minutes to read them.
- How to Avoid Phishing Scams from the Anti Phishing Working Group
- Anti-Phishing Phil From CMU
- Recognizing phishing scams and fraudulent e-mails
If you receive any emails that request personal information such as password, credit card number or your bank account number, treat it with suspicion and DO NOT RESPOND TO IT IMMEDIATELY. Please note that ITS and most of the financial institutions will never request personal information be sent over Email. Consult with your financial institution or ITS on the legitimacy of such email – almost always, the answer is going to be “delete it”.
Basically, all of them advise you to:
- Be suspicious of any email that asks for your personal information.
- Avoid clicking on links in these emails (Instead, open a web browser and navigate to your financial institution’s website directly). Some of them can create such lasting damage to your system that you may have to reinstall the operating system from scratch.
- Always make sure that any website where you provide personal information shows a security lock.
So, how are the hackers able to do this?
- The first step is for them to collect millions of email addresses. Unfortunately, this is fairly easily done and there are many e-mail address harvesting programs that are out there to do the job.
- Then they simply steal the graphics and text styles used by the institution that they are trying to fake, so that the email looks legitimate.
- The final step is to make the emails to look as if it is coming from a legitimate email address. You might wonder how can someone not associated with Wesleyan can send an e-mail that appears to come from a valid wesleyan email address. The answer is that this is fairly easy to do, though in recent years the technology is making it harder to do.