You or your users have probably received e-mail explaining that your eBay or Paypal account has been suspended or is suspected of having been compromised. Maybe you have received the one from Citibank or Bank of America or some other major financial institution. These, of course, are examples of phishing attacks.
A phishing attack uses an e-mail claiming to be from a business or institution as "bait" to lure the "phish," which is the unsuspecting user, into clicking on a link or entering personal or confidential information such as their usernames, passwords, credit card information or more.
A normal phishing attack is blasted out to millions of e-mail addresses, the vast majority of which probably don't even do business with the entity being spoofed. A "spear phishing" attack, on the other hand, targets a smaller, more specific audience. Rather than casting a net across the whole Internet, a spear phishing attack tries to pinpoint gullible victims from a single company or a smaller financial institution. The attack has higher odds of success and a much lower possibility of being identified quickly.
Phishing attacks, whether full-blown or spear phishing, typically create Web sites designed to look exactly like the legitimate Web site of the company being spoofed. In fact, many of the links and graphics are often linked to the real content from the spoofed company's site, with only a few key fields feeding information to the attackers. Below are things you can teach your users to make sure they are not susceptible to phishing.
- Grammar and spelling: While attacks are becoming more sophisticated, many could benefit from a good grammar or spell check before being sent out. If users receive a message that seems legitimate, but has obvious spelling or grammatical errors, that is cause for suspicion.
- Enter Web URL manually: As a rule, users should not click on Web links from within an e-mail. To ensure users get to the site they intend to, they should open a Web browser and type the address in manually.
- Do not reply: Even if a message appears to be legitimate, users should understand that no reputable company would ask them to share usernames, passwords or any sensitive or confidential information such as credit card or social security numbers via e-mail. They should never send such information to anyone via e-mail.
- Confirm the sender: If users receive a message that appears legitimate, but seems suspicious, they should follow it up with a phone call to the company or to the alleged sender to try and verify whether or not they really sent the message.
- Notify the company administrators: Whether it is an attack directed at the company the users work at or a bank they do business with, if your users receive e-mail which appears to be an attempted spear phishing attack they should immediately notify tech support or the network or security administrator so that steps can be taken to protect the network from less observant users.
As an administrator, there is a way you can proactively prevent phishing.
- Use anti-phishing tools or applications: Newer Web browsers such as Firefox or the upcoming Internet Explorer 7 have built-in anti-phishing security features. If migrating to a whole new browser seems too much, you can also implement an anti-phishing toolbar such as those offerd by Netcraft or CipherTrust.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit S3KUR3.com.
This article previously appeared on SearchWindowsSecurity.com. This was first published in October 2006
This was first published in October 2006