Avoiding Phishing Attacks

Phishing attacks are used to steal personal information. It is done via email or similar system and designed to look like it is from a trusted source. In some cases, the message requests that you "update" account information, such as credit card or checking account information. Some phishing scams ask for this information directly in the email message.

Other attacks are designed to get you to visit a fraudulent website that may look identical to a legitimate site. The fraudulent website will ask you to take the bait by asking you to provide personal information, such as passwords, credit card numbers, bank account numbers, Social Security numbers, etc. The site may also install malware or spyware on your computer. 

Phishing techniques are damaging in themselves, but they are often just the first step in a larger, more sophisticated attack.

Here is a screen capture of an actual Phishing attack received in May of 2015. This particular attack was amateurish. Many are not this obvious.

Example Phishing Attack

How to defend yourself

Investigate the following before providing personal information:

  1. Do not simply click on links in email messages. First investigate where the link goes. Fake email messages usually hide the actual link within a phrase, such as "Click here" or "Log in." Always right click to copy the actual link, and paste it into your browser. Then carefully read the link before clicking to visit it. If the address looks a little odd, don't visit it.
  2. Be immediately suspicious if the email message asks for personal information. Fake emails often ask you to reply with your personal information or to fill it into spaces provided within the email. 
  3. Is the Web page secure? Any time you are asked to give personal information online, the website address should begin with "https:".
  4. Is the email addressed to your personally? Phishing messages often use generic greetings, such as "Dear Customer" or "Dear Sir/Madam." 
    1. Note: The fact that an email message is personalized doesn't’t mean it is from a trusted source. Identity thieves can easily collect names from social media sites. Publishing a birthday or cell phone number on such sites gives identity thieves enough information to develop an effective attack.
  5. Is the email error-free? Phishing email messages are often littered with misspellings and poor grammar. These mistakes help them avoid spam filters, but should be a dead give-away that they are not from a legitimate source. 
  6. Is the page a 'pop-up'? Phishing email messages and websites often use pop-up windows to collect information. Such pop-up windows may appear without any action on your part and have no address bar or navigation buttons. If this happens to you, DO NOT click on the pop-up window. Instead immediately shut down your browser and restart it.
  7.  DO NOT open email attachments from unknown sources. Fake email messages often include an attachment that, if launched, installs spyware, launches a virus, etc.
  8. DO NOT send personal or financial information via email unless you are using PGP or other strong security mechanism. There are many ways email messages can be intercepted and analyzed without your knowledge.
  9. Keep anti-virus and other security software up-to-date.
  10. Report online scams to the Federal Trade Commission at www.ftc.gov.