Case Security Awareness: 2010-2011
What are phishing scams and how can I avoid them?
Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank, eBay, etc.). These messages urge you either to reply with your user name and password or to click on a hyperlink that takes you to a bogus website where you are asked to input private information (e.g., password, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.
Symantec has a great video on the subject that gets the user the basics in a pretty entertaining manner- see Internet Scary Stuff- Phishing.
For examples of typical phishing tactics, see:
How to avoid them
To avoid phishing scams, never click the links provided within these types of email messages. If you feel the message may be legitimate, go directly to the company's web site (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message. Delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the web sites it points to.
You should also always read your email as plain text. Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans. For more information, Indiana University has a great document In Windows, how do I force my email client to display mail as text-only?
Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won't avoid them all. Some legitimate sites employ redirect scripts that don't check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.
Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones. For more information, see: http://db.tidbits.com/getbits.acgi?tbart=07983
Reporting phishing attempts
Make it stop! Before you delete the phishing email, you can report these phishing scam attempts to the company that's being spoofed.
You can report spoofed login or personal-data-capturing websites to Google: Google's Safe Browsing Phish Report
Google will then label it a phishing site and flash a warning banner (click for an example) to all subsequent users.
The Case Help Desk (216) 368-4357 can help if you:
- have received an email you suspect is a scam
- have responded to a scam email with your Case account credentials
- need help changing your password.
More information is available at http://help.case.edu When in doubt, call a Trusted Human!