Information Possibly Outdated
The information presented on this page was originally released on September 22, 2011. It may not be outdated, but please search our site for more current information. If you plan to quote or reference this information in a publication, please check with the Extension specialist or author before proceeding.
Most phishing attacks do not look 'fishy'
E-mail phishing attacks net more than just dollars and cents; they can also capture account usernames and passwords.
The term phishing is a combination of the words “fishing” and “phreaks.” Phreaks were early computer users who also dabbled in hacking. Later, malicious computer hackers began using their skills to hook unsuspecting e-mail users with phishing e-mails.
Phishers create e-mails that mimic those from well-known companies. More than half of all phishing e-mails impersonate a financial institution, such as a bank or credit-card company.
A phishing e-mail has many defining characteristics. First, the e-mail looks like it is legitimate; it often includes official logos and what appear to be legitimate websites.
Secondly, the e-mail presents upsetting but false information. For example, it may indicate your bank account is overdrawn or is about to be closed, your e-mail account is over quota or your credit card has been compromised.
Thirdly, the e-mail will encourage you to act on the information immediately. The suggested action is usually clicking on a link to a website that asks you to enter personal information, such as your username, password, social security number, passport number, or mother’s maiden name. The website is a bogus website created by the phisher to mimic the legitimate website. Often, there is only a letter or domain name (.com, .net or .org) that differs.
Often, on social media sites such as Facebook, the phisher will use a video link or pictures to lure the unsuspecting target. The phishing lure looks like a message from someone you already know and says something like, “Did you see yourself in these pics?” or, “Look at this video of you at the beach!”
Phishers have discovered that savvy users are much more likely to click on a picture or video in Facebook than to reply to an e-mail. Phishing attempts are most successful when they are able to spoof an e-mail account. A spoofed e-mail is made possible when a virus or Trojan horse steals information from a user’s address book. It then takes the names from the address book and sends e-mails out to everyone else using the user’s name or the names in the address book.
Safeguarding yourself from phishing attacks is possible, but it does require diligence. Always keep your computer up-to-date with Windows Updates (Internet Explorer/ Tools/Windows Update/Express Updates only – do not do Custom updates) and anti-virus updates. Never click on a link posted within an e-mail. For example, if you receive an e-mail from the president of your bank with a link to reset your password, do not click on it and do not copy and paste the link from the e-mail to address bar in your Internet browser.
Do not allow yourself to be rushed into acting hastily because an e-mail threatens dire consequences if you do not respond immediately. Remember, legitimate companies never solicit personal information via e-mail. When you are on a legitimate website (such as eBay or Paypal), make sure that when you sign-in or pay for an item, you are switched to a secure website. For example, you should be routed from http://www.ebay.com/ to https://signin.ebay.com/ when you sign in to eBay. The “s” in https:// stands for security, which means the website is secure.
Also, you can check to see if a website has been reported as a phishing website. If the website looks suspicious, left-click on Tools from the menu bar and left-click Phishing Filter/Check this Website. Microsoft will compare the website to a list of known phishing websites. If you believe the website is a phishing website, left-click Tools/Phishing Filter/Report this Website. Follow the on-screen prompts and left-click Submit.
If you believe that your account has been compromised due to a phishing attempt, contact the financial institution or company that holds that account directly and have your password reset immediately.