A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Phishing

Using fake Web sites to trick you into giving away personal information

"Phishing" or "Web spoofing" attacks use fraudulent Web sites to trick you into giving away confidential personal information such as credit card numbers, account usernames and passwords, and social security numbers. This is called "phishing" because attackers are "fishing" for your personal information and trying to lure you into providing it.

A phishing attempt usually starts with an email urging you to click on a Web link in order to check something about your bank account or another on-line account. These emails often appear to be from popular online institutions such as eBay, AOL, PayPal, or MSN. When you click on the link you go to a page where you are asked for information. The page appears genuine, but is in fact counterfeit. Phishers may then use the personal information you give on the page to steal your identity or your money.

Protective Measures

Practices

  • Use common sense when giving out personal information: Be careful when giving out personal information in Web forms. Your bank is not going to lose your credit card or account information and ask you by email to enter it online. Don't respond to such requests. Follow them up with a phone call to the institution if you want to make sure.

  • For sites requiring personal information, type in the Web link yourself: Instead of clicking on a Web link in an email, type the known address of the Web site in the browser's Address line yourself. This ensures that you won't be sent to a fraudulent Web site.

  • Check your bank and credit card statements for purchases that you did not make: Regularly check your bank, credit and debit card statements to make sure that all transactions are legitimate. It is important to know what you did and did not buy so that you are better prepared to answer questions if somebody steals and uses your financial information.

  • Report fraudulent Web sites to the Federal Trade Commission: If you determine or suspect that you were directed to a fraudulent Web site, send the email that directed you there to uce@ftc.gov. If you believe you've been scammed, file a complaint with the Federal Trade Commission .

  • Check your hosts file occasionally: Normally, your browser translates a Web address or “host name” like www.google.com into a corresponding Internet Protocol (IP) address. The Internet uses the IP address, not the host name, to find the desired site. Your computer contains a file named “Hosts” which has entries linking hostnames to IP addresses. This file overrides the normal translation, so if a phisher can write to this file, he can use it to link you to fraudulent Web sites.

    The “hosts” file is typically located in your “windows\system32\drivers\etc or winnt\system32\drivers\etc” directory, but you can also find it on Windows by going to Start > Search > For Files or Folders. It normally has only one IP-host name link at the bottom for localhost (e.g., 127.0.0.1 localhost). If you see any link besides the localhost link, especially with a host name you commonly use, it was probably put there by a phisher, and you should delete it. Any line starting with a “#” is a comment and harmless.

  • Check emails for fake Web links: If you receive an email that asks for personal or financial information, check the source code for misleading links.
    1. Each email client has a different method for checking the source of an email. See this page  for instructions on viewing the source in Eudora, Mozilla, Outlook, Outlook Express, and Mail.app.
    2. Once you have viewed the source, scroll through the email until you find the link you want to check.
    3. If the link has something similar to “http://scgi.ebay.com@64.68.92.168:3879”, where "http://scgi.ebay.com" is the address of the legitimate site, then the Web site is a fake. The remainder of the link (“@64.68.92.168:3879”) maps the "http://scgi.ebay.com" Web link onto the IP address ("64.68.92.168") and port number ("3879") specified.

Settings

  • Protect your "hosts" file from being written to: If a phisher can write to a file on your hard drive called "hosts", he can use it to link you to fraudulent Web sites. To protect your hosts file:

    1. Go to the "windows\system32\drivers\etc" or "winnt\system32\drivers\etc" directory to find the file.
    2. Right-click on the file, and choose Properties.
    3. Check the Read-only box at the bottom of the General tab window.

Tools

  • Anti-phishing: None of these tools is a foolproof way to avoid phishing, but they can help. If you decide to use them, don't be lulled into a false sense of security. Continue to use common-sense and caution in giving out personal information online.

    • Automatic notification of known spoofed Web sites: There is software available that can notify you when you are being directed to a Web site known to be fraudulent. These products continually update a list of known fraudulent Web sites and allow your browser to access this list. Of course, many phishers constantly change the sites they use to get around this software and to escape detection. One product of this kind is Microsoft's Phishing Filter .

    • Automatic notification of possible spoofed Web sites: Some software tries to detect phishing by looking for characteristics of previously detected attacks and guessing whether a given site is likely to be fraudulent. One free product that does this is Spoofguard .

    • Automatic display of domain name: Other software fights phishing by displaying information such as the real (as opposed to the spoofed) domain name of any Web site you visit. One free product of this kind is SpoofStick .

  • Secure Web email: Some Web-based email providers offer built-in privacy features. However, in order to reap the benefits, both the sender and recipient must use the service. Hushmail  is one provider of secure Web email.

  • "Anti-phishing Phil " is an animation to learn how to recognize phishing sites.

Legal Issues

Fake Web sites, also known as phishing Web servers, are illegal in the US. In response to the growing threat, the Federal Bureau of Investigation has partnered with the National White Collar Crime Center to create the Internet Crime Complaint Center . If you have been a victim of a phishing scam, save anything related to your complaint (emails, credit card bills, bank statements, etc.), and report the incident on their Web site. They refer all complaints to the proper law enforcement agencies, who may then choose to investigate the case.

The FBI does not guarantee that all complaints will be investigated, so also file a police report, and report the incident to the Federal Trade Commission  and the Anti-Phishing Working Group.

Links

My home page