October is National Cyber Security Awareness Month
The fifth annual National Cyber Security Awareness Month is being celebrated during October 2008 as a collective effort among the Multi-State Information Sharing and Analysis Center, the National Cyber Security Division and the National Cyber Security Alliance to raise cyber security awareness nationwide and empower citizens, businesses, government and schools to improve their cyber security preparedness and help promote a safe Internet experience.
What is Phishing?
Phishing is a scam which attempts to entice e-mail recipients into clicking on a link that takes them to a bogus Web site. The Web site may prompt the recipient to provide personal information such as social security number, bank account number or credit card number, and/or it may download malicious software onto the recipient’s computer. Both the link and Web site may appear authentic, however they are not legitimate.
How Does it Work?
Have you received an e-mail, an instant message, or another communication that just did not seem right, even though the communication appeared to be from a reputable organization? This communication could very well be a phishing scam. It’s important to note that in the past, phishing scams were often more easily detectable because of misspellings, typographical errors and blatantly bad grammar; however, they are increasingly more difficult to detect because they often appear so legitimate.
Phishing scams try to “bait” the recipient in a number of ways: the malicious e-mail could include notice of an account cancellation, a request to verify/update personal information, a notice of a purchase that you did not make, or just about anything else that would get you to respond to the communication. The types of messages used in phishing are expanding almost every day, so it is important to be cautious of any communications you receive.
If the e-mail communication, with its enticing subject line, is the “bait,” what is the hook? The hook is getting you, the user, to take some action that enables the phisher to obtain information or otherwise gain access. You may be “tricked” into visiting a Web site, which appears to be a legitimate organization’s Web site. Once at that site, you may be asked to enter personal information. Another method of attack may be to get you to open an attachment in an e-mail, upon which malicious code, such as a Trojan horse will be installed onto your computer. Other variations include a telephone call, in which the phisher will ask you to provide personal information. Once the phisher has “hooked” you, they may use the information to open accounts in your name, access your bank account or make purchases using your credit card. There is also a type of phishing attack known as “spear phishing” where the attacker targets specific individuals by name or organizations.
For example, an e-mail invitation to attend an event that may be of interest could be sent to an organization’s employees. When an employee clicks on the link contained in that e-mail, malware is downloaded to the employee’s computer. The attacker may be targeting specific employee information, such as user names and passwords, or proprietary organization information.
How Do I Know it is a Phishing Scam?
If you receive an e-mail appearing to be from a legitimate business, requesting you submit personal information, it is most likely a scam. Legitimate businesses do not send e-mails requesting personal information.
Use an Internet search engine to research the subject line of a suspicious e-mail to determine if that subject line is a known phishing scam.
What Can I Do?
- Be cautious about all communications you receive. Think before you click.
- If the communication looks too good to be true, it probably is.
- If it appears to be a phishing communication, do not respond. Delete it. You can also forward it to the Federal Trade Commission at spam@uce.gov.
- Do not click on any links listed in the e-mail message and do not open any attachments contained in suspicious e-mail.
- Do not enter personal information in a pop-up screen. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens.
- Install a phishing filter on your e-mail application and also on your Web browser. These filters will not keep out all phishing messages, but will reduce the numbers of phishing attempts.
- Ensure that your computer is up-to-date on all patches.
- Ensure that your anti-virus program is installed and up-to-date.
- Use bookmarks in your Web browser for the organizations with which you regularly communicate to limit the chances of being redirected to malicious sites.
- If you think you have been scammed, visit http://www.ftc.gov/idtheft.
- Look for unauthorized charges or withdrawals on your credit card and bank statements/bills.
- Review your credit report - visit http://www.ftc.gov for a link to request an annual free credit report.