A new phishing email (via Trend Micro)that recently emerged claimed that the user’s Bank of America account was accessed by an international IP from an unregistered computer and that their “Foreign IP Spy” detected that breach.

It is asking the user to verify and register his current computer by logging in to the Bank of America website. That link leads to a new window which opens a phishing website that is using a fake address bar. Most users who clicked on that link will surely enter their login information.

This approach is basically appealing to the user to secure his account. That’s tricky and many users will probably fall for this because they believe that thiefs would not ask them to secure their accounts. What they obviously miss is the fact that the added security feature is fake and not existing.

Websites with that fake address bar can be easily identified by right-clicking on that website and selecting properties from the context menu if Internet Explorer is the browser of choice. Firefox users click on Page Info in that right-click menu while Opera users press Alt + Enter or right-click and selected Edit Site Preferences.

The best protection against phishing is to not open any links in emails. Always open the website directly in the browser. If you are insecure call the company and ask if they have send that email to you.

Related posts

• Test The Phishing Protection In Firefox (4)
• Add Hostname To Firefox Titlebar (3)
• When on Digg be careful (2)
• Web of Trust: collaborative online security (7)
• Twitter Account Suspended? Be Careful What You Post (3)

To make this work they have to capture your data on one of their servers. A link is always provided in the email which looks pretty normal, e.g. http://www.ebay.com/. You might know that the html link tag is able to provide a link and a text that is shown instead of the link. Those criminals use this to their advantage showing ebay.com and directing the user to a different location.

Onwards to the tips:

• Phishing only works if you click on a link that leads to a website that looks similar to the one you want to visit. If you do not click a link in the email but enter the url of the company directly in your browser window you are save. This is the best tip to prevent phishing at all. Do not follow email links.
• If you receive an email asking you to call a company compare the phone numbers and use the ones that you know and not the ones mentioned in emails. Social Engineering is a rising threat as well. Most people do not know that phishing can also happen by phone. Check the phone numbers in emails.
• You receive an email stating that you are the highest bidder for a golden ring on eBay or that your phone bill is incredibly high and that you can verify the bill by clicking on the document attached. Use your brain. You know that you are not the highest bidder and that the phone bill can´t be real as well. To check the first type in the url of eBay in your browser, you will see there is no such auction. Call your phone company in the second one and they will verify that this is a phishing attempt.
• Always verify that you are at the right website before entering data. Firefox 2 and Internet Explorer 7 will have anti-phishing tools on board but it is always a good idea to verify this for yourself. Look at the url, is it the right one ? It should normally be a https:// website which can be verified by looking at the yellow padlock in the status bar. If you click it you will see the certificate and you can compare the certificate to the one of the company that you want to visit. (some company’s store the certificate information on their webservers, some don´t, call them and you will receive this information.)

To sum it all up. People like you and me will most likely detect fake websites and act accordingly. Normal users have a hard time identifying those websites and are the main phishing targets. They don´t know about the technical possibilities and simply assume that everything is alright.

Maybe because they are lazy, maybe because they do not want to spend time learning computer stuff. Who knows. Phishing will stop if the majority of users are educated and know how to handle computers.

Related posts

• Realtime Anti-Phishing Add-on for Firefox gone bad (9)
• New Phishing Emails Emerge (1)
• Help the fight against phishing with Phishtank (1)
• Free Phishing Protection with Delphish (1)
• Add Hostname To Firefox Titlebar (3)