Identification A Phishing Email or a Real Email

One of the problems about trying to teach people to avoid Phishing attacks is that the banks often use the exact same tactics that the phishers use. It is mind-numbingly stupid of them to do so, but still we see emails from banks that contain links in them. As a rule I tell people not to click on the links in these emails, but rather to log into their account by typing in the address of their bank by hand.

I had a question for my credit union about one of my accounts with them. The response came back and contained a link that I had to follow in order to reply. The email specifically said not to reply to the email because it wouldn’t be read. So, how do I know this isn’t a phishing attack? First of all I looked at exactly who the email came from. Believe me, this is far from foolproof. Email addresses can be spoofed. The more important sign was that when I followed the link I was not asked for any information at all. I did not have to login, I did not have to verify anything. In addition to this, the email came in response to an inquiry that I initiated and not out of the blue. The reply was relevant to the question I had asked.

How to handle Phising Attack

Consequences

As the phishers can use so many techniques and can even combine them, it is rather difficult to tell if an email request comes from officials or not.

What are the consequences of disclosing confidential information?
$ The phishers can run up charges on your account.
$ They can open new accounts, sign utility or loan contracts in your name.
$ They can use a false ID and commit crimes using your personal information.

Do not bite the bait!
Do not fill in email forms concerning confidential information. Any trustful service provider uses secure websites and digital certificates.
Do not click on links provided by email, especially if you were not expecting that email. Contact the sender to verify if it was his/her intention to send this email (use the contact number the company gave you, not the one in the email).
Do not reply. Delete the message and check with the real company (use the contact number the company gave you, not the one in the email).
Do not click to follow the link provided in such a message. Type the address in the browser yourself.

Phising Definition, Concept and Techniques

What is phishing

Phishing, also known as "brand spoofing", is an elaborate form of data theft, targeting possible clients of ISP companies, banks, online banking services, government agencies etc.

When submitting your email address on the Internet, filling in online forms, accessing newsgroups or websites, your data can be stolen by Internet crawling spiders and then used without your permission to commit fraud or other crimes.

The Phishing Concept

Phishers develop counterfeit webpages, which imitate the corporate image of well-known, trusted service providers. Then, using collected or random generated email addresses, they "throw the bait".

How the Web Spoofing Attack Works

URL Rewriting

STEP I
# A Phisher could insert a malicious script inside a product review to attack the user.

# The Script would modify the host site so that the user believes he/she is interacting with secure site. this technique is also called as “Cross-Scripting.”

STEP II
# This done by using encoded characters to hide the destination address of a link.
Ex-“abc” = "abc”

How To Safe from Phishing

Your brave anti-spam software works hard to defend your inbox from all those messages about enlarging… um… various things. Even more important, your spam buster also helps protect you from less-embarrassing --but more dangerous-- phishing scam emails. But not entirely safe. Just in case a big bad phishing scam does get through to your inbox, it’s important to know how to spot it.

1. Do they handle your money? Then they won’t ask for your info.

The companies that deal with your money can be counted on for a lot of things. Making mistakes on your monthly statement. Talking robotically on the telephone (even if they’re human). Sending you advertisements you don’t want. But one thing they can’t be counted on to do --because they never do it-- is ask for your account information in an email. No company that deals in your finances will ask for your info via email. Ever. Not the bank, not the IRS, and not Paypal.