A phisher having a go at phishing

What you need to know about phishing

Internet crimes have been around nearly as long as the Internet has. They pose major threats to banking, commerce, and our political system.

Have you ever wondered how it started?

In 1986, California astronomer Clifford Stoll was tasked with resolving a $0.75 accounting discrepancy in one of the lab’s time-shared computers. Stoll traced the discrepancy to an unlicensed computer user who had apparently been broken into computers—including military computers—all over the country.

The technical trespasser turned out to be a German national working for Soviet Russia. The hacker’s method of gaining access to these supposedly secure mainframe computers was by installing a “Trojan horse” routine into the log-in program and steal usernames and passwords.

Today we call this “phishing” and it’s a huge issue both for individual users and larger corporations.

How phishing works

Phishing can come in several forms from targeting specific users to cloning entire websites with the hopes of snagging crucial user data from any unwary users logging in.

Many phishing techniques involve falsifying emails from trusted sources such as a bank or sales vendor with the hopes of tricking users into clicking links which would lead to a website which would automatically infect the visiting computer. The goal is to steal information or to trick the user into downloading a file, such as a false PDF or zipped file, with the intent to install invasive malware.

Most of the techniques rely on fairly basic manipulation of link addresses, domain name spoofing, and Java scripts. The good news is that there are ways to defend yourself from online criminals who would steal your personal information or worse.

How to defend you and your company

Be observant

If receiving an unexpected email from a trusted vendor, does it address you by your name or with a more generic “Dear valued customer”? Most legitimate sites will address you by name—information that is not yet readily available to the phisher.

Additionally, a legitimate email from a bank or utility may include the last few digits of your account. Always check to make sure these numbers are accurate. If not, delete.

Does the link an email is asking you to click go to where it is supposed to? Move the mouse over the link and look at the bottom of your web browser. Does it direct to the actual site you intend to visit? Is it within your home country? Is it spelled correctly? Look carefully.

For example, it can be very easy to mistake PayPal.com with PeyPol.co.

Be cautious

Do not download any attachment sent to you unless you were expecting it or it comes from an absolutely trusted source.

Consider setting your email software for displaying text only as a default. Some images can hide links or scripts that could be harmful.

Additionally, use augmented passwords when setting up your website security, including user-selected image verification.

Take advantage of the tools available

Use a spam filter. Many can identify phishing emails before they arrive in your inbox. Check with your ISP to see what additional tools they may have available.

Keep your web browser and system software up to date—especially those updates that feature security patches.

Use a two-step verification process both for your outside and inside accounts whenever possible. Most banks have this option now. Companies such as Facebook and Google also allow for smartphone verification to double your security.

In the end, your security comes down to you. While it’s true that the technology used by criminals is always changing, it is also always changing and improving in the fight against phishing and other cyber crimes.

Be watchful. Stay vigilant. You’ll be thankful, and your customers will thank you for it.