Phishing Explained

Phishing, which is a construct of the words Password and Fishing, becomes more and more common on the Internet.

Many Internet users receive daily mails from sites that look as if they come from legitimate companies and services such as eBay or PayPal, or from financial sites like Citibank.

These emails look authentic and direct you to a website that looks like a copy of the original site. They "phish" your login data or credit card information when you enter them on the fake website. Phish in this context means steal by the way.

Once the data has been recorded, which it will when you sign in or enter the data into forms on the site, they can use the information for all kinds of activities, from locking you out of your own account, abusing it to send spam messages, withdrawing funds, or other criminal activities.

The following article can be used as a guideline to distinguish between official mails and phishing mails. It explains phishing in detail, and has tips in the end as well. Before we start, why not take a phishing test and see if you can distinguish between legit mails and fake ones.

The mail

Most phishing attempts start with emails being sent to your account. They look real on first glance, they are sent from an official email address, and they look like official mails most of the time.

Contents may differ. Some may ask you to update account information, verify that the email address belongs to the account, provide financial information or other personal data such as your Social Security Number, or require you to open a document or file on your computer.

What you need to know is the following

1. Every email address can be faked.
2. Every email can be created to look like an official email.
3. Every website can be designed to look like the original.

There are however hints that point you in the right direction if you have to decide if the email you just received is a legit one or not.

Its easy enough to distinguish if you are not a customer of the website or institute. Trash and forget in that case. Its also easy if you receive an email in a foreign language (if you have no contact to that institute in that country). Trash and forget as well. Take a look at the To: Header. Is that your real email address and name? If not trash and forget as well.

Other indicators are if the email does not address you by name, if it contains improper formatting, or spelling or grammar mistakes.

But what if you are a customer?

One indicator that an email may be a phishing email is if you are not addressed by your full name.

Phishing Emails often contain one or multiple links to fake website. Mostly to a site with form fields that prompt you to enter information about yourself and financial date / login data.

Note that some spammers mix legit and fake links in emails to throw you off balance. It is necessary to go through all links to make sure they are all legit.

Lets take a look at an eBay phishing mail. Click on the thumbnail to get a large version of the jpg.

It looks legit, comes from an official eBay address and has some nifty eBay logos in it. It also seems to point to the official website starting with https://signin.ebay.com/..

The trick now is that this is only the link text but not the link itself. If you move your mouse over the link you will see the link address and not the link text. The link address is shown in the status bar of the mail program. It leads to http://200.41.5.40:780/.. which is no official ebay site at all.

Results:

1. Link Text and Link point to different websites, no company would link to an IP address.
2. The original link is https and the fake one is http. No signup page ever uses only http, well signup pages from eBay and financial ones at least.

Lets take a look at the site that the link points to:

If you look in the address bar you see that you are not on an official eBay site. You also see that its again http and not a https site. I suppose the site will redirect you to the official site once you enter your login data.

If you take a look at the official site and the login screen you see differences:

First, its a https site, second its an ebay.com site and third it looks different than the phishing mail. You can distinguish between fake and real by simply looking at those elements.

Please be aware that it is not always as easy as this example. Phishers begin to use cross-frame phishing to mix official site content with fake site content. A good example of this can be found on the netcraft.com site.

Tips:

1. If you are not a customer of the site delete the email immediately. Don't click on the link or reply, or execute any files that may be attached to it.
2. If you are not addressed by name, it is likely a phishing email.
3. If you are a customer and you are not sure if the email is legit do one of the following:
4. Contact the institute by phone or use a contact on the official website ( do not use the email link of course) and ask if the mail is official.
5. Instead of using the link provided open the website by typing in the official link there. The site should have news about the email on their starting page. (most of the time). If not, use 2a to verify the email.

There are some anti-phishing toolbars and plugins available but I never needed to use one because all phishing emails are more or less obvious fake if you analyze them.

Update: Most web browsers come with anti-phishing modules nowadays. They do however only protect you against known threats, not threats that have not been discovered yet.

Advertisement