Phishing is the term for the act of tricking someone into handing over
their login credentials. Generally, this is done by setting up a
realistic looking fake site and getting people to type their credentials
into it. For example, criminals might setup a web site that looks just
like your bank’s website. The address for the site might be something
like “http://yourbankcustomerservice.com” (instead of just
“http://yourbank.com”). Then they’ll send thousands – perhaps millions -
of e-mails to random people. These e-mails will usually tell readers
that there’s a problem with their bank account and that they need to
login to take action. If you type your credentials into the fake site,
the phisher can collect them and use them to login to your real bank
In addition to e-mail, phishers have expanded into social media. This is particularly scary, because phishers are compromising people’s accounts on Facebook and other social networking sites to send fraudulent links to people who trust those users. Most Web browsers now come with some functionality to help prevent phishing, but this won’t stop all phishing attempts.
Phishing can happen to anyone, even the most tech savvy and security conscious among us. Cory Doctorow is the editor of the popular geek culture blog Boing Boing. His security consciousness borders on the paranoid. For example, he once wrote a column for The Guardian about the dilemma he faced when deciding how to deal with his passwords in the event of his death. He uses a password management application locked down with a 256 character encryption key. He decided to give one half of his the key to his wife, and the other half to his lawyer. That way neither of them would have the full encryption key needed to access the rest of his passwords.
You might not think someone so careful could get phished. But he did. He wrote an article for Locus Magazine last year explaining how it happened. He was using his phone to read Twitter while standing in line at a coffee shop when he received a message from an old friend. The message read “Is this you????” and included a shortened URL. Doctorow clicked the URL and was taken to what appeared to be a Twitter login page. He typed in his password without thinking about it. It was only after he’d entered his password that he realized he wasn’t actually on twitter.com. There were a few other mitigating circumstances, but you get the gist. “Phishing isn’t (just) about finding a person who is technically naive,” writes Doctorow. “It’s about attacking the seemingly impregnable defenses of the technically sophisticated until you find a single, incredibly unlikely, short-lived crack in the wall.”
If someone as vigilant as Doctorow can get phished, how can you protect yourself? Here are a few tips:
1. Accept that you are not immune to phishing.
Even if you use a Mac, even if you use an expensive Internet security suite and even if you’re a security expert you can still get phished. The first step to avoid being tricked to acknowledge this.
2. Pay attention to existing phishing scams.
Watch for news about phishing scams and see what messages are being used. Watch for patterns. The “Is this you?” spam that snared Doctorow is one popular tactic, but there are others. If you’re really interested, you can follow the blog of security company Sophos – it’s one of the best sources for phishing news.
3. Always keep an eye on your browser’s address bar.
When you’re asked to login to a site after clicking a link, take a look in the address bar (see the illustration above). If you’re logging into PayPal, does the address start with “https://www.paypal.com” or does it start with something like “https://paypal.[something else].com” or “https://paypal[somethingelse].com”? This can be hard to notice, but it’s worth paying attention to.
4. When in doubt, type the address by hand.
If you’re not sure whether you’re on a site’s real login page, you can always just close the window or tab and start over. Then you can type the site’s address by hand, or use a bookmark, and login to the site that way. If you want to be extremely cautious, you can make it a habit to always login to sites this way – even when you trust the source of a link.