Malware

Phishing and pharming 101: Protect your identity


Using a variety of nefarious methods, phishing and pharming are a consistent problem that threatens everyone with identity theft. If you recognize what these methods are and how malicious users employ them, you can keep yourself and your users from becoming a victim.

A quick review

Phishing involves sending an e-mail that claims to be a legitimate business in an attempt to scam the user into surrendering private information. Pharming involves the same goals with a different method; malicious users employ spyware, keyloggers, domain spoofing, domain hijacking, or domain cache poisoning to obtain personal or private (usually financial) information.

To put it bluntly, criminals try to steal your identity by getting you to divulge financial data such as credit card numbers, account usernames, passwords, and social security numbers. They sell this information, and it then becomes an identity theft crime.

Recognize the methods

The primary method for this crime is to send e-mails that look like valid correspondence coming from a bank asking users to click the link provided and log into their account for some type of important information. But your bank and other institutions where you do business don't work this way. They may send you an e-mail and ask you to review or verify information. However, they don't send links to a Web site. You already do business with them, and they know you don't need the link to the Web site.

If you click that link, one of two things is going to occur. It could download spyware onto your computer, which will then capture your personal information and send it to the criminals. Or, the link will direct you to a Web site that looks and feels like the site you expected -- but it's actually just a front to collect your login information to help the criminals harvest your personal information.

Fight back

To protect yourself and your users against phishing and pharming schemes, here are four rules to live by:

  • Rule 1: Stop clicking links in e-mails that direct you to your bank or a financial institution. Stop filling out forms sent to you by your bank or financial institution. If you want to visit the site to see if you need to confirm/update/verify your account, open up a browser and type the link or retrieve it from your favorites.
  • Rule 2: If you suspect an e-mail is part of a phishing scheme, report it. Report it to the financial institution, the FTC, and the Internet Crime Complaint Center.
  • Rule 3: Update your browser, your antivirus software, and any other security software. The latest versions of such software have phishing filters that detect attempts and warn you if it suspects you've surfed to a site that isn't legitimate.
  • Rule 4: Stop using public computers to access private information. Internet kiosks at hotels and other business are convenient but often have Trojans and keyloggers installed that collect and transmit your information to the criminals. Access personal and financial information only from a computer you trust to be free from these evils.

Final thoughts

Criminals have learned that they don't need to pull a gun on you to get your wallet or purse. They're using the Internet to steal everything in your accounts -- and your good credit too. Take a few simple steps to stop them, and don't become an identity theft statistic.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

9 comments
noeldi
noeldi

If you are presented with any kind of login form for your account of ebay, paypal, e-banking etc. (and you did not type in the URL manually or used a bookmark) just enter some crap like "asdfqwer l?kjpoiu". This instantly shows you whether it is a valid login-form. And it fills the database of the phisher with some crap data. ;-)

derrickserver
derrickserver

Hullo Mike! Thanks for this good advise, I think the Finacial Institutions and online business should improve on the information they give to their customers. For example Banks will be sending their customers Loan offers, high interests on savings accounts, sales etc. And they go head to advise their customers to even visit their website, with no warning of such situation of of links. Iam only requestin you learned personnels in this despline who care for the community to educate more finacial institutions and online businesses to educate their customer, in a way that every HARD COPY of offer sent to a customer a remainder is put in BOLD OR RED in Colour. Esther Student

bill757
bill757

It was Greatly needed Info for many! But I feel that the picture of the person used above this Article, would be the perfect Anti- Computer Fraud Poster Picture! I mean really, would you Trust that face?? It is perfect! And Please don't take me wrong, I am not writing this to try and make fun, or to be a Wise Guy in any way! It just happens to be the perfect picture for this particular Article!

howiem
howiem

If people created bookmarks (favorites) for all the sites where theie money could be at risk an only used those bookmarks, the odds of getting phished would be reduced to practically zero. Better yet, create the bookmarks using a site internal https address. Of course you want to make sure that you have the right organization in the first place, so if in doubt, call!

techrepublic
techrepublic

Only do so with ActiveX disabled or you could get a virus. In general, stay away.

Brian.Walters2
Brian.Walters2

I only deal with my bank face-to-face, by snail-mail or by telephone, which is a real pain talking to a call centre in Delhi when both my bank and I are in the UK. My bank doesn't have my email address, that way I know that anything from any bank, especially the "Second National Bank of Outer Mongolia" must be a scam. Regards, Brian.

JCitizen
JCitizen

He does look like a scurvy dog doesn't he! Heh! Heh!

slam5
slam5

i think that is a bit drastic, don't you think? with a bit of precaution, you can minimize the risk. For starters, you can use multiple email accounts for different website. in that way, if one is compromised, you know who did it. you only have to change one email address. and this is only a starter.

DSCtsuru
DSCtsuru

If you think phishing and pharming is bad now, wait until the CitiBank and B of A systems go nationwide with their Mobile Banking. The iPhone would be a perfect platform for attack by the unscrupulous (if you can't get esn's out of it - you could always sell it to one of the local "vendors".) Just think, send a video laced email with all the "fixins" or just Steal The Darn Thing! I want to find one of the Blackstone Guys in the crowd.

Editor's Picks