Dealing with Phishing Messages

According to the article in Dark Reading,  Study: Phishing Messages Elude Filters, Frequently Hit Untrained Users, many people are still being tripped up by phishing emails.
The article summarizes the findings of a survey that was conducted at the Black Hat USA security conference held in July 2012. Of the 250 conference attendees that were polled, 69% said that phishing messages get past spam filters and into users’ inboxes on a weekly basis. Over 25% indicated that top executives and other highly privileged employees have been successful targets of phishing attacks.
Many phishing messages aren’t difficult to spot, but if you don’t know what you are looking for you can easily get hooked.

Filtering Software Can Help, But…

Stated simply phishing messages are fraudulent attempts to obtain your personal information through email or social media messaging.  Armed with your credit card numbers, bank account data or social media account information, the bad guys can steal money from you and snare your online contacts in their phishing nets.
Your anti-malware software or special capabilities in your browser can inform you when you navigate to potentially malicious websites or block malware from being downloaded. Recent versions of Mozilla Firefox, Google Chrome and Internet Explorer all have some anti-malware capabilities. Likewise many email clients, like Mozilla Thunderbird and Microsoft Outlook, can detect and filter spam and other “junk” email that come from senders who you don’t know, did not originally contact, or that look like phishing attacks.
Nevertheless bad stuff still gets through these automated filters and on occasion email that is harmless is flagged as dangerous.  Filtering software cannot protect you in all cases.  In practice, it is difficult to differentiate benign and malicious emails, so it pays to be able to recognize phishing attempts when you see them.

Recognizing and Responding to Phishing Messages

Here’s my list of what to look for in phishing messages and what you should do, or not do, when you get them. Some of these suggestions are based on information presented in the article The State of Phishing Attacks by Jason Hong, associate professor of computer science at Carnegie Mellon and How to Recognize Phishing Email Messages, Links or Phone Calls at Microsoft’s Security and Safety Center Website.

1. Don’t automatically click on links in emails or other messages. Most phishing messages try to get people to go to malicious websites that will collect their personal information. Now that email and other kinds of messages are delivered in HTML, it is possible to obscure the actual URLs contained in the messages since any link can contain a URL that is different than indicated by the link text. For example, consider these links all of which seem to point to Google’s search website: (1) http://www.google.com (2) http://www.google.com and (3) click here to go to Google. Only the first will direct you to Google while the other two will direct you to Yahoo!. By hovering your mouse cursor over these links you can see their actual URLs in the status bar of your browser (usually found at the bottom of the browser or email client window). You can check the URLs in links the same way in most email clients that support HTML. With this technique you can verify whether you are being directed to a website that you trust or even recognize.  If you don’t recognize the website URL, the URL is shortened using a service like bit.ly or you did not initiate the contact with the organization or person sending you the link, be reluctant to click on it.
2. Beware sending personal information in email forms. If you are sent an email that presents a form asking you to supply any kind of personal information, event if it contains legitimate looking company graphics and logos, you can pretty well bet that it is a phishing message. Most companies ask you to visit their websites directly to login into your accounts and transact business. If you receive an email like this it is a good idea to contact the company that seems to have sent you the message to let them know about it. And don’t use the contact information in the email, go the the official company website to contact them.
3. Be suspicious of emails or other messages making threats or asking for money.  Don’t fall for email scams sent by people or organizations threatening you with legal action unless you send money to them or who are trying to persuade you to contribute to strange charity causes you have never heard of. If you are truly concerned that the organization threatening you might be real or the charity looks legitimate and you’d like to contribute, contact these parties to verify their legitimacy and deal with them directly. Don’t let messages that convey a sense of urgency coerce you into being careless.
4. Look out for messages with spelling errors and bad grammar. Reputable companies don’t want to look like fools when they contact you so messages that are poorly written are more than likely bogus.

Phishing Messages in 2012

Phishing attacks are evolving to become even more sophisticated and deceptive.  In their blog Blackhole Exploit Kit Transforms Phishing, Trend Micro product manager Sandra Cheng and senior director Jon Oliver point out that phishing messages they are collecting in 2012 look exactly like legitimate emails from real companies. Here is an example of the kind of message they are seeing:

The authenticity of this message is nearly impossible to ascertain by just looking at it, since it does not have any of the obvious phish content I mentioned before. Many of these phishing messages contain links that lead unsuspecting users to websites where malware is installed that enable cybercriminals to take control of the victims’ computers. In most cases the only difference between this new type of phishing email and the legitimate variety are the links they contain.
One way to handle messages like this is to avoid clicking on any of the links in them and instead going to directly to the websites of the companies from where the emails appear to have come. Once there you can verify if you have any of the pending issues that are claimed in the fake emails.

More Information on Phishing

If you want to get additional information about phishing, I suggest visting the PhishTank, a clearing house for information and data about phishing on the Internet. Their website features a lookup service where you search a URL you suspect might be a phishing site in their database. If you don’t find it you can submit the URL to the PhishTank for evaluation. As you find phishing URLs you can help others avoid them by contributing to the PhishTank database. The PhishTank also has a nice FAQ page that can answer many of your questions regarding phishing.
Don’t become the phishing catch of the day. Protect yourself against phishing attacks by staying informed and vigilant.

Article by Vic Hargrave