RedevelopmentOur security alerts service is currently undergoing redevelopment
and will be redeployed later this month.
website form a bogus? In their work “Why Phishing Works” Rachna Dhamija of Harvard University and J.D. Tygar and Marti Hearst of UC Berkeley analyse and try to answer the very question “what makes a bogus website credible?”. I suggest you go on reading their report to understand how and why some of the most experienced Web users fail to recognize phishing websites and phishing strategies. The study addresses problems such as: lack of computer system knowledge, visual deception (text, graphics, images mimicking windows, windows masking underlying windows, perfect copies of a website layout, etc), lack of attention (especially when it comes to security indicators) and much more.
To understand how phishing works one should go beyond the Wordspy definition and understand what phishing really is. According to the Anti-Phishing Working Group, “Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.” Creating a replica of a genuine website is just a tool, as tools are the emails sent to your account to make you click on a link that will lead you to the spoof website.
How does this work? Well, if you use any form of online banking or if you are an active ebay merchant you’ve probably already read the warnings posted on the genuine websites. At ebay you find these warnings in the Security & Resolution Center. PayPal warns against spoof emails and websites in its Security Center as well. And so does any other genuine website that requires your financial data. But so do the phishing websites!
The clear displayed disclaimer, security center and privacy policy links are no longer enough to verify the authenticity of a website. The perfect layout and faultless graphics will fool you too! If you ignore the security warnings from your browsers you are on the wrong path form the start. There are many inexperienced users who don’t know where to look for that SSL closed-padlock icon and mistake any such icon present on a Web page as the “real thing”. Please remember: some spoof websites are identical copies of the legitimate websites! Pay attention to the small details. They might mean the difference between a genuine website and a spoof.
So, when you visit a commercial website that requires personal data, make sure is SSL protected. If you use Firefox, look for that padlock – its correct positioning would be once at the right side of the address bar and once positioned at the right side of the status bar. If you use Internet Explorer you’ll see that padlock, or an icon that looks like a key in the status bar. That’s all the warning IE gives you! Not so reliable after all. Firefox will give you two more: a yellow background and the correct HTTPS (this is an indication that the HTTP is sent over SSL/TLS) in the address bar and the domain name in the status bar.
Now, this is what I do every time I receive an email I classify as “odd”:
I am aware of the fact that the “from” field of the email can be easily altered, therefore I ignore it. (I don’t take it as an indicator of the true origin of the email).
Links can also be forged so I avoid clicking on any links. Instead I open a new browser window and type in the URLs by hand (no “copy-paste”). I don’t type more than the domain name. For example if I get an email from PayPal I never go on my online account through the link in the email, but just open a new window and type in www.paypal.com. Beware: there are ways to make an URL look genuine, so don’t click on the links! Always go to the original page and start all your actions from there. Here you find some examples of how URLs can be faked.
I never reply to what I consider spoof emails. I report them instead here: Report Phishing
I carefully examine the SSL certificates and other security warnings even when I believe I am visiting the genuine website (I use Firefox).
I don’t rely too much on visuals. I always pay attention not to be fooled by deceptive text (also known as “typejacking” – for example pay-pal instead of paypal)
If the email comes from a commercial website I have never heard about I “google” the domain to see whether that website was ever associated with phishing and secure or not and I carefully check the original website, looking for all the security indicators.
This is some basic information to help you stay away from phishers. I hope you’ll never become a victim. Just remember: don’t ever follow links in emails, websites, or ads. Just type in the correct domain name and go on from there. And never “confirm” your data as a result of an email that says, “the bank X is updating its database”, or “there was a security breach, please confirm your details”, or… or… If you receive such a message and it looks somehow real, better call your bank and ask! Just don’t let phishers fool you!
Mihaela Lica is a professional journalist, with more than 10 years experience in the field, four as TV journalist. Since 2002 she works as an online public relations and media consultant, making all possible efforts to promote quality web content. Visit Pamil Visions for more information.
Here are some more scam articles...
