Attention:

Your credit card account with Nonexistent Bank contains outdated information. Please fill out the update form on our website at:

http://www.your-credit-card-company.com/?d34-asdf-sfdhba

Thank you,

John Doe
Account Manager
Nonexistent Bank

How many of you would believe what I wrote above and would click on the link? Be honest. If you did click on it, were you surprised to see that the link doesn’t go where the text says? If you decided this was a scam, what gave it away?

Believe it or not, hundreds of millions of dollars are stolen every year because people are not aware that these emails are scams. In the information security realm, emails that impersonate a legitimate business and ask the user for information are called “phishing” emails. By reading this, I hope you will be more aware and better prepared to deal with phishing.

What is phishing? The Anti-Phishing Working Group has a good description:

"Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites..."

Most phishing emails pretend to be from financial institutions (scammers like money). Some of the businesses that have been used by phishers include Bank of America, Bank of the West, eBay, and Paypal.

Here is an example of phishing using eBay:

When we see this email, we need to figure out if it is legitimate or not. How do we do that? Let’s start with the basics:

Rule 1: No legitimate business will request your personal information, especially by email (which is not secure). Trust me. They already have it.

Rule 2: If there are typos, odd graphics, or lines of nonsense, then it is most likely a phishing email. Businesses pay big money to have PR departments that make sure every communication is perfect.

Rule 3: Check the links in the email WITHOUT clicking on them. To do this, point your mouse cursor at a link, but do not click on it. In a few seconds, a box will appear that shows what the real link is (at least it does in Outlook). For those who use webmail (and possibly other email clients), you can right-click on a link and select properties. The Address field will show the real link. If the links don’t match or the real links look like garbage, it’s probably phishing. Here’s what you would see with the link at the top:

The real link goes to Park’s homepage, not to the credit card company. Try it for yourself with the phishing email at the top of this article (you'll need to right click and select properties to see it).

Rule 4: If you still feel that this email is legitimate, contact the business yourself (without using any information from the email). If you know their website address, type it in by hand. Otherwise, give the company a phone call. This way, you know that you have the business and not a con artist.

If you do receive phishing emails, you can report them just like normal spam (an email was sent to all users explaining this earlier this year) and our email administrators will do their best to block them. You can learn more about phishing and the Anti-Phishing Working Group at http://www.antiphishing.org.