Internet users therefor need to know about phishing and how to identify phishing emails from safe emails.

The Login Helper blog has created a phishing flow chart that outlines the process of analyzing an email to determine if it is a phishing email or not.

The flow chart addresses the three biggest email dangers: Attachments, links and social engineering. The chart has been color coded for easier recognition of safe and dangerous elements in emails. All red elements in the flow chart are considered dangerous while blue elements are considered safe.

The chart furthermore provides basic suggestions on how to react when possible dangerous elements are encountered, for attachments it would be to save them locally and check them with a service like Virus total online.

Following the chart leads either to a safe or dangerous rating for the email that is being analyzed.

To make this work they have to capture your data on one of their servers. A link is always provided in the email which looks pretty normal, e.g. http://www.ebay.com/. You might know that the html link tag is able to provide a link and a text that is shown instead of the link. Those criminals use this to their advantage showing ebay.com and directing the user to a different location.

Onwards to the tips:

• Phishing only works if you click on a link that leads to a website that looks similar to the one you want to visit. If you do not click a link in the email but enter the url of the company directly in your browser window you are save. This is the best tip to prevent phishing at all. Do not follow email links.
• If you receive an email asking you to call a company compare the phone numbers and use the ones that you know and not the ones mentioned in emails. Social Engineering is a rising threat as well. Most people do not know that phishing can also happen by phone. Check the phone numbers in emails.
• You receive an email stating that you are the highest bidder for a golden ring on eBay or that your phone bill is incredibly high and that you can verify the bill by clicking on the document attached. Use your brain. You know that you are not the highest bidder and that the phone bill can´t be real as well. To check the first type in the url of eBay in your browser, you will see there is no such auction. Call your phone company in the second one and they will verify that this is a phishing attempt.
• Always verify that you are at the right website before entering data. Firefox 2 and Internet Explorer 7 will have anti-phishing tools on board but it is always a good idea to verify this for yourself. Look at the url, is it the right one ? It should normally be a https:// website which can be verified by looking at the yellow padlock in the status bar. If you click it you will see the certificate and you can compare the certificate to the one of the company that you want to visit. (some company’s store the certificate information on their webservers, some don´t, call them and you will receive this information.)

To sum it all up. People like you and me will most likely detect fake websites and act accordingly. Normal users have a hard time identifying those websites and are the main phishing targets. They don´t know about the technical possibilities and simply assume that everything is alright.

Maybe because they are lazy, maybe because they do not want to spend time learning computer stuff. Who knows. Phishing will stop if the majority of users are educated and know how to handle computers.