Best Practices for Understanding & Preventing Phishing Attacks


Phishing is an attempt, usually via e-mail, to trick people into revealing sensitive information like usernames, passwords, and credit card data by pretending to be a bank or some other legitimate entity. The e-mails typically include a link to a Web site that appears to be legitimate and which prompts users to provide information.

Sometimes, the phishing e-mail will include a form in an attachment to fill out. One common tactic phishers use is to pretend to be from the fraud department of a financial institution or online retailer like PayPal and ask for information to be provided to prevent identity fraud. In one case, a phishing e-mail purporting to be from a state lottery commission asked recipients for their banking information so their “winnings” could be deposited into their accounts. Phishing also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail purportedly about swine flu asked people to provide their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Twitter users have been directed to fake log-in pages.

Here are other examples of phishing attacks…

• An e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says “Get Verified!”

• E-mails that look like they come from the FDIC include a subject line that says “check your Bank Deposit Insurance Coverage” or “FDIC has officially named your bank a failed bank.” The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out.

• E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.

• A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the “update” button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an “Update Tool,” but which is actually a Trojan virus.

Tell-tale signs of a phishing attempt…

Many phishing attempts originate from outside the U.S. so they often have misspellings and grammatical errors. Some have an urgent tone and they seek sensitive information that legitimate companies don’t typically ask for via e-mail.

Identifying a Phishing email…

– Check the sender information to see if it looks legitimate. Criminals will choose addresses that are similar to the one they are faking. For instance, phishers have used “” However, legitimate PayPal messages in the U.S. come from [] and include a key icon.

– Most phishing e-mails come from outside the U.S. so an address ending in “.UK” or something other than “.com” could indicate it’s a phishing attempt.The e-mail address may also be obscured. Hitting “reply all” may reveal the true e-mail address. If you are at all unsure whether the e-mail is legitimate, go to the company’s Web site to see the address listed.

– Legitimate companies tend to use customer names or user names in the e-mail, and banks often will include part of an account number. Phishing emails typically offer generic greetings, like “Dear PayPal customer.

– Inspect the hyperlinks inside the body of the e-mail. Phishers typically will use sub domains or letters or numbers before the company name, and sometimes the words in the links are misspelled. For example, [] would link to the ‘Bank A’ section of the ‘security’ Web site. Often, it’s difficult to tell if the link is legitimate just by looking at it. By mousing over the link you can see the real address on the bottom of most Web browsers. (Do not try this on a mobile device as it will probably open the link.)

– If the e-mail has an attachment, be wary of.exes files. Scammers like to hide viruses and other malware there so it executes when opened.

– Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.

How can phishing attacks be avoided?

• Try to stay off spam lists. Don’t post your e-mail address on public sites. Create an e-mail address that is less likely to get included in spam lists. For instance, instead of [], use

• If an e-mail looks reasonable contact the company directly if you receive an e-mail asking you to verify information. Type the address of the company into the address bar directly rather than click on a link. Or call them, but don’t use any phone number provided in the e-mail.

• Don’t give out personal information requested via e-mail. Legitimate companies and agencies will use regular mail for important communications and never ask customers to confirm log-in or passwords by clicking on links in e-mail.

• Look carefully at the Web address a link directs to and type in addresses in the browser for businesses if you are uncertain.

• Don’t open e-mail attachments that you did not expect to receive. Don’t open download links in IM. And don’t enter personal information in a pop-up window or e-mail.

• Make sure you are using a secure Web site when submitting financial and sensitive information.

• Change passwords frequently. Don’t use the same password on multiple sites.

• Regularly log into online accounts to monitor the activity and check statements.

For more information about this and other Cyber Threats to consumers, please subscribe to Home Cyber Defense Weekly. This weekly newsletter is designed to teach you how to recognize and prevent cyber attacks, and informs you what to do if you have been attacked. A subscription to our newsletter is free and you can sign-up on our website at:

Article Source:

Article Source:

Hits: 1

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.