Gadgetell | Tech News, Reviews, and Interesting Things

We’ve all gotten them - official looking emails that look like they are from Paypal, eBay, our bank, or credit card company.  They usually say there is a problem with our account or something needs updating and to please click the convenient link provided and log in.  Dire consequences such as suspension or deletion are mentioned if the request is not complied with.  So do you do it?  The scammer who sent it to you sure hopes so, because it’s fake and designed to steal your information and your money.  Welcome to phishing!

In the beginning there was phishing

Phishing gets its name from an old hacker magazine called 2600 and it does just that - it fishes for info.  The first phishing scams were on AOL back in the 90s.  Scammers posing as AOL employees would send emails or IMs to members saying their account needed to be verified and asking for their passwords.  They would then use the stolen accounts to send spam.  Later phishing became more sophisticated and went after sensitive information such as credit card numbers and banking info.

In the right now there is phishing

Today most phishing attacks are conducted via botnets such as Waledec and reach millions.  Even if only a small percentage falls for the scam, the gangs behind the botnets make money.  Sometimes the stolen information is used to clean out bank accounts and run up huge charges on credit cards.  Some gangs use the stolen numbers to make fake credit cards and commit identity theft.  Others make their profits by selling the information they steal.  There are whole black hat communities that thrive on the buying and selling of stolen information.

How phishing works

Here’s how a common phishing attack works.  You get an email that looks like it came from a company you do business with such as Paypal, eBay, or your bank.  It tells you something like you credit card on file is expired, your account needs to be verified because of suspicious activity, etc.

A link is provided and clicking on it takes you to what looks like the company’s site, but it’s actually a fake one set up by the scammers.  When you log in your username and password are instantly sent to the scammer’s database.  Often times malware will be silently installed in the background.  Common types include keyloggers, which record every single thing you type and sends it to the scammers, and Trojans, which can do everything from scan your computer for specific kinds of information to adding it to a botnet, and rootkits, which allow the scammer to have complete control over your computer through a “back door” it creates.

Shields Up!

How do you protect yourself? Here are some tips.

• No company you do business with will ever ask you for your username or password via email.
• Legit emails from companies you do business with will always address you by your name or username, not “Dear Customer” or “Dear User.”
• Read the email carefully.  Most phishing emails contain grammatical errors that professional companies would never make.
• To check if a link is legit, let your mouse pointer hover over it (don’t click!).  Look at the URL displayed in the bar at the bottom of the screen.  In a phishing mail they won’t match!
• If you are unsure about an email you receive from a company, pick up the phone and ask them.
• On websites, never ever click on popups or banners that say you’ve won a free computer or other pricey electronic.
• On sites like Facebook and MySpace, be careful what apps you install and be wary of emails from people you don’t know offering funny photos or other enticements. Phishers hit social networking sites hard these days.

Phishers are hoping to exploit people’s lack of common sense, so use yours and stay safe!