Phishing Attacks

The State of the Phishing Industry

Phishing is a worsening problem that is affecting more people everyday, with carefully crafted emails constantly probing for your personal information. On any given day, I receive multiple emails telling me that my account has been suspended, needs to be verified, or that criminals have compromised my account and I need to take action!
By acting on one single email, I could potentially cost myself (or my employer) thousands of dollars and wreak havoc on my online reputation, not to mention the risk of having my identity stolen.
The goal of this website is to education you about phishing scams and their dangers, while also showing you how to create a multilevel defense plan to protect you, your identity and your Mac.

What Exactly IS Phishing?

 

The term 'phishing' refers to a technique used by criminals to steal your information. The phishing scam works like this: phishers send out an email or instant message to you impersonating a real corporation, in an attempt to get you to go to their website and enter your information.
For example, you might receive an eBay email asking you to update your account, along with a link saying click here. The email is from someone who looks like they work at eBay, and it is formatted like your other eBay messages.
When you click on the link it takes you to a phishing website that will look identical to the real website. The reality is that you are using a fake update form and are entering in all your personal information, giving the criminal all the information they need to scam you.

Below is an actual example of a phishing attempt, where the criminal is impersonating PayPal:
 
 
Phishing criminals attempt to steal pretty much anything and will take everything they can, including your online accounts, account numbers, banking information, passwords, PIN's, and credit card information.
Phishing = Fishing = Pishing = The same name for one criminal activity! The term 'phishing' is coined from the real life activity of fishing. The criminal is the fisher, baiting his email hook and sending it into the water, looking for one poor little victim to take the bait before luring in the prize.
Pharming is similar to Phishing, as the goal of both activities is to steal your information, but while phishing is a more individual activity (direct emails to you), pharming involves the hijacking of trusted domain names to get you on your next visit - detection of pharming scams is the responsibility of the corporations to protect their clients.

Defenses Against Phishing Attacks

 

Phishing attacks can be prevented in many ways. The most common, and effective, methods are:
  1. FILTER your messages.
  2. DETECT the scam.
  3. LEVERAGE available tools.
Remember, the best defense is a good offense! Criminals will try many angles to get your information, so you should have multiple defenses!

Filter Your Messages

 

By filtering your email for spam, many phishing messages will be prevented from getting to your inbox. When the message does not get to you, you don't have to worry about spending time figuring out if it is a real email or just someone trying to get your info.
A good spam filter is able to remove a large percentage of phishing emails so they never reach your inbox. Google currently provides one of the best spam filters available in GMail.
Not only does GMail prevent phishing emails from getting to your inbox, they also collect this information in a database. With this information, GMail can they prevent others from also receiving these messages. While that is cool, there is also another benefit for Mac users - the GMail account can be set up like a POP3 account, so your GMail can be used directly within Mail.

Detect The Scam

 

There are a few telltale signs that you are being scammed by a phisher.
The first, most obvious clue that something is a scam is when you receive an email from a company you don't do business with. I constantly get emails (in German) from a German bank Volksbanken Raiffeisenbanken; there aren't many German banks here in Canada so I pitch these without any thought.
Next is the email itself. Phishers email the same message to thousands (maybe millions) of users at once. Most of the time they have no idea who you are; they simply have your email address. Therefore be suspicious of any email that talks in generic terms like "Dear Sir/Madam". If the email doesn't contain your name or account number, it is likely not legitimate.
The most important clue of all is the domain name. If the domain name of a site is not correct, it is a dead give away that the site is a scam. Hover your mouse over the link that they want you to click to see where it will take you:

In this example. the phisher is using Yahoo! redirection service. By using Yahoo!, the criminal is hoping you will assume it is a trusted site.
If you decide to click on the link, make sure to look at the browser address bar to see if it is the correct domain. Phishing sites usually use IP addresses instead of domain names, so if you see http://220.78.116.80 instead of http://paypal.com, you know you're being scammed!

Leverage Anti-Phishing Tools

 

It is easy to say "stay safe" and "remain vigilant" to protect yourself from phishing attacks. However, in reality, we are all human, and everyone makes mistakes (well, maybe not Stephen Colbert, but most of us!).
By relying solely on the manual avoidance techniques for phishing attacks described above, you are leaving yourself open to making a mistake. Potentially a very costly mistake!
There are several things you can do to protect yourself further. Below, I will describe some of the many tools you can use to protect your information, your identity and your Mac.

Automatic Form Fillers

 

Automatic form fillers work like magic! Not only do they save you tons of time, they are also incredibly effective at preventing phishing attacks.
These devices work by having the autofill program be responsible for logging you into your websites. The autofill program is smart enough to only fill forms from sites whose domain matches the domain that you originally saved it on.
Watch this phishing protection movie to see how effective autofill technology can be at protecting you.
The AutoFill feature from Safari should have been adequate for phishing protection but unfortunately, it doesn't work on the sites you need it most (the infamous autocomplete="off" problem). Also, if you ever wanted to switch browsers, you would be back to typing passwords manually.
These problems can be solved by using the 1Password password manager. 1Password's AutoFill works across many browsers and the form filling technology works on all web sites.
Note that 1Password cannot protect you from filling in your personal information into a new web site that 1Password has never seen before. However, this is a different type of attack entirely and are much easier to dismiss. For example, how often do you want to signup to a bank that spams you through email? It is far more plausible a bank would email existing customers about a new type of service and tell you to login to see it.

Browser Anti-Phishing Features

 

There are several toolbars that will alert you if the site you're visiting is listed on a Black List of phishing sites. Newer browsers, such as Firefox 2.0 claim to protect you with this integration.
While I applaud the effort, the chances that a criminal will be silly enough to continue using a black listed site is laughable. Phishing attacks change faster than any list can be updated.
Sadly Black Lists will only help you if you living in the past.

'Phishing Killer' Downloads
(aka Lame Programs that Claim to Cover Your Butt)

 

When you search for Phishing protection, you'll find tons of 'killers' and 'blockers', but don't kid yourself, they are just a middle man. These products rely on black lists of known threats, which automatically takes away their effectiveness.
The worst part is that these 'killer' downloads usually contain spyware (aka malware), which in turn keep track of your online activities.
These companies have also chosen to ONLY support Firefox, ignoring the needs of the Macintosh community, who have a diverse range of browsers available. Should you choose to use Safari, Camino, Sea Monkey, OmniWeb, DevonAgent or others, you are not even able to 'benefit' from these types of programs.

Anti-Phishing Toolbars for Your Browser

 

The Google Firefox toolbar has a built-in anti-phishing feature to detect known phishing sites. Firefox 2.0 will be integrating this feature into the new release, so this Google toolbar feature will lose its relevance.
All integrated toolbars suffer from the same problems already discussed, along with some potentially additional security issues. This article by O'Reilly Media, highlights some issues that add to my concerns of using them.
eBay and PayPal also offer toolbars, but they are designed to protect your eBay/PayPal accounts only.
Aside from incomplete protection, once again, Mac OS X users are left in the cold since the toolbars only support Firefox.

Web Site Seals and Emblems 

 

Several web sites have started using emblems or seals to help protect their users from phishing attacks. These are to act as cues to users, who set the initial seal and then should check for it each time they visit the site, therefore verifying the 'truthiness' of the page.
Good idea, right? Well sure — if you only use one machine and one browser. Going to each machine (home, work, friend, etc) and setting this up, along with the multiple great browsers available for Mac OS X, makes a little picture a big waste of time.
Whenever a phishing protection mechanism requires you to set it up multiple times, you are bound to make mistakes. You can't just "Set it and Forget it!" (I love those rotisserie chicken maker infomercials). Once you start to doubt the system, it cannot be relied on.

Phishing Protection Recommendations

 

So, at the end of the day, what do I recommend as the best protection? I use a combination of GMail and 1Password to 'phend' off these phishers.
GMail contains an awesome spam filter that kills over half of all phishing emails I receive. Google likely uses their own phishing website database to help filter phishing threats, so I likely get "Black List" protection for free. I also appreciate the reduced spam!
As for 1Password, it is the only automatic form filler that always works. It can handle all types of web forms and browsers. Becoming accustomed to a password manager that always works takes time, but it is worth it! Having a program that will automatically generate passwords means never having to type a password - Phishing sites will never be able to trick you into providing a password you can't memorize!
With GMail you'll have less junk to filter through, and with 1Password you will be able to automatically verify a correct site and automatically enter your information. Take THAT you Phishing Criminals!

Always Remember:
Phishers Win Even If You Make Only One Mistake!