Fall for a phishing scam and you could be at risk of infecting your PC with a virus or your money being stolen. But it’s easy to avoid becoming a victim, if armed with the right tools and knowledge. We show you and one reader how.
Published
on 29 September 2008
See also
Learn about the seven security sins
Sergei Shevchenko, PC Tools
Not investing in security can leave your data, identity and privacy at risk – we show you how to stay safe
Learn how to use Windows Security Center to find out how secure your computer really is
Learn the lingo
Pledge your support for our campaign and you can win security software worth £50
Usually, when people think of the dangers that are out there on the internet, they think of cyber-bullying, viruses and the embarrassment of way too much Viagra spam. But one of the single most dangerous things you can come into contact with online is phishing.
Phishing works rather like its more normally-spelt angling namesake. In the same way that a fisherman attaches a piece of bait to the end of his line and drops it in the water to tempt a fish into biting, phishing is a technique that cyber thieves use to lure people into handing out their personal information, giving these criminals access to your bank details and much more.
The effect of phishing can be very damaging. There’s the obvious risk of money being taken from your account without your permission when you give out your bank details, but there’s also the possibility that you can become infected with a virus, which can slow down your PC or stop it working altogether.
The first case of phishing was discovered back in 1995 through the AOL service, when a person would pose as an AOL worker and instant message people asking for their personal information. It became so common that AOL actually built a disclaimer into every instant message sent or received, warning people that nobody at AOL would ever ask for personal details.
These days, phishers – as these criminals have been aptly nicknamed – can get access to your personal information in a variety of underhand ways. The most common of these is to send you an email that looks as if it has come straight from your bank or a wellknown service such as PayPal or eBay.
These emails often look completely genuine because they contain company logos, email addresses and links to what appears to be the same web address that you would normally type into the address bar of Internet Explorer.
If you look closely, though, you can easily spot a fake. The most basic of Sin 3 “I always open emails from my bank because I know I can trust them” phishing emails give themselves away by containing spelling mistakes and punctuation errors.
Sadly, cyber thieves have since evolved and are now able to use a technique called spear-phishing, which involves taking your personal details from a social networking web site you frequent or a blog you write to, and adding your name to make the emails appear completely genuine.
But despite these advances, it’s still very easy to distinguish between a legitimate email and an illegitimate one, as Sergei Shevchenko from PC Tools explains. “It is tempting to respond to these emails because they don’t look or feel like a scam. But any email that asks you to reveal any aspects of your identity is the biggest sign of a scam, and it can’t be trusted.”
So if you’re asked to enter your personal details (such as a user ID, password or your account details) within an email or via a link to what appears to be a genuine web site, you should always consider it to be a scam and delete it from your inbox. No bank, auction site or paying system would ever ask you to enter these details.
Tricking you into entering your personal details on a fraudulent web site is one of the easiest ways for a phisher to steal your money, but they may also send you emails with attachments that contain malicious software. This installs on your PC and tracks what personal information you’re entering into web sites, then sends it out to the phisher without you ever knowing.
Another way you can be a victim of phishing is by misspelling the name of a web site in the address bar of Internet Explorer. This is because cyber thieves create bogus web sites with a name almost like the real thing, so when you type it incorrectly, but don’t notice, you’re taken to a login page that looks just like the bank or PayPal page you would normally use to log in with, and you enter your details without realising
you’re giving them to thieves.
Reader rescue
According to our survey on readers’ internet habits, 13 per cent of people have clicked a fake bank link in the past, and Bethan Jones – a 25 year-old Windows Vista Magazine reader from London – almost fell into this trap, too.
Bethan is a typical example of someone who uses their PC very little and, because of this, isn’t fully clued-up when it comes to the dangers online. She does some online shopping, keeps in contact with friends through Facebook, and uses Windows Mail to send or receive emails.
Bethan recently received an email from her bank, which asked her to confirm her account details were still correct by entering them into a form, and clicking a button to submit the details to a web site. She assumed this was just something that banks did to make sure that if
customers moved home or simply changed their phone number, their details were always up-to-date.
“The email looked like it had come straight from my bank,” said Bethan. “It had the correct company logo, and the way it was worded made it all look very official. What convinced me to go ahead and fill in the form was when I read that if I didn’t reply, my account would be suspended. This made me panic, and I rushed to update my details.” Luckily, her partner – who is a little bit more computer-savvy – saw what she was doing and stepped in before she could proceed. Bethan’s now very concerned that it might happen again, and that her partner won’t always be around to advise her.
Since then, Bethan’s trust in the internet has hit rock bottom and she’s barely touched a PC, but she doesn’t want her life compromised by this fear, so she contacted Windows Vista Magazine for some help.
Luckily for Bethan, Windows Vista already includes some anti-phishing measures, such as a Phishing Filter built into Internet Explorer, which warns you of web sites that might be unscrupulous; while Windows Defender helps to protect you against spyware or other malicious software by scanning your hard drive at regular intervals to locate and remove anything that should not be there.
But when your money is at risk, it’s always better to be safe than sorry, and PC Tools recommends that you should invest in a second layer of defence to make sure you’ve taken every step possible to protect yourself.
To make sure Bethan’s PC was ready for any future phishing attacks, we installed Browser Defender, a free-todownload program for Internet Explorer, which is available through PC Tools at www.browserdefender.com. Like Microsoft’s Phishing Filter, it warns of possible phishing web sites, and it also actively looks for any malicious behaviour on sites that you visit. We also gave her a copy of PC Tools Internet Security Suite, which includes an antispam filter, ideal for automatically detecting and filtering any potentially harmful emails that she might receive
at a later date. It comes with Spyware Doctor, too, which would make sure that if she accidentally downloaded anything malicious, it would be spotted and removed immediately.
We recommended that Bethan should make sure that her Windows Vista computer is always kept up-to-date with the latest patches and drivers, by going to Windows Update and checking that everything is current; as well as looking at the PC Tools Internet Security Suite to ensure that she has the latest version installed.
As Aline Kouninioti of PC Tools points out, though, “There are some things that can’t be addressed by technology.” We gave Bethan three pieces of advice to follow every time she uses her PC. Firstly, we told her never to give any information about herself in response to an email, no matter how legitimate it seems, and never to open an attachment, particularly if it is from an unknown address. Secondly, we explained that, when she is typing the web address of her bank or PayPal account into the Internet Explorer address bar, she should always check that it is correct.
And lastly, because she regularly uses Facebook, we recommended that she either remove the personal details (such as her email address, birthday, and home town) from her page, or make sure that the friends she adds to her Facebook profile are known friends only.
Phishing tricks and how to avoid them
1 CLICK THIS LINK!
What happens: An email is sent to you requesting that you click on a link and verify your bank, eBay or PayPal details.
Solution: Even if an email looks completely genuine, never click on any of the links or give out any of your personal or financial information. If you are still concerned and unsure of what to do, you can always ring a company such as eBay or your bank on the telephone to check whether an email is genuine or not.
2 WATCH THOSE FINGERS!
What happens: You type in a web site address incorrectly, are then taken to a spoof web site that looks just like the genuine thing, and enter your bank account details.
Solution: Always double-check that the web site address you’ve entered is spelt correctly, or install Browser Defender (www.browserdefender.com), which checks whether or not a web site is using phishing methods.
3 OPEN THIS COOL FILE!
What happens: You receive an email with an interesting-looking attachment that you can download and save to your hard drive.
Solution: Never, ever open any attachments from a company, organisation or person (unless they are a family member or friend). If it’s a phishing email, it could be a virus that will download to your computer and track what you’re getting up to when you go online.
Join our campaign!
To make our campaign a success we need your help. Visit our web site at http://www.securitysins.com/ to enter competitions and keep your computer safe.
