Writer: Dr. Mariah Smith Morgan, MSU Extension Service
With spring just around the corner, many of us are contemplating when it will be warm enough to go fishing. But be aware that a dangerous form of bait lurks on the Internet waiting to hook you. This type of fishing is known as phishing, and the Internal Revenue Service reports that fraudulent phishing attacks are at an all-time high this year.
The term phishing is a combination of the words “fishing” and “phreaks.” Phreaks were early computer users who also dabbled in hacking. Later, malicious computer hackers began using their skills to hook unsuspecting Internet users with deceptive emails.
Phishers create emails that mimic those from well-known companies. More than half of all phishing emails impersonate a financial institution, such as a bank or credit card company.
A phishing email has many defining characteristics. First, the email looks like it is legitimate; it often includes official logos and links to what appear to be legitimate websites.
Second, the email presents upsetting, but false, information. For example, it may indicate your bank account is overdrawn or is about to be closed, your email account is has exceeded its quota or your credit card has been compromised.
Third, the email will encourage you to act on the information immediately. The suggested action is usually to click on a link to a website that asks you to enter personal information, such as your username, password, social security number, passport number or mother’s maiden name. The website is a bogus website created by the phisher to mimic the legitimate website. Often, there is only a letter or domain name (.com, .net or .org) that differs.
Often, on social media sites, such as Facebook, the phisher will use a video link or pictures to lure the unsuspecting target. The phishing lure looks like a message from someone you already know and says something like, “Did you see yourself in these pics?” or, “Look at this video of you at the beach!”
Phishers have discovered that savvy users are much more likely to click on a picture or video in Facebook than to reply to an email.
Phishing attempts are most successful when they are able to spoof an email account. A spoofed email is made possible when a virus or Trojan horse steals information from a user’s address book. It then takes the names from the address book and sends emails out to everyone else using the user’s name or the names in the address book.
Safeguarding yourself from phishing attacks is possible, but it does require diligence. Always keep your computer up-to-date with Windows Updates (Internet Explorer/ Tools/Windows Update/Express Updates only – do not do Custom updates) and anti-virus updates. Never click on a link posted within an email. For example, if you receive an email from the president of your bank with a link to reset your password, do not click on it and do not copy and paste the link from the email to address bar in your Internet browser.
Do not allow yourself to be rushed into acting hastily because an email threatens dire consequences if you do not respond immediately. Remember, legitimate companies never solicit personal information via email. When you are on a legitimate website (such as eBay or Paypal), make sure that when you sign-in or pay for an item, you are switched to a secure website. For example, you should be routed from http://www.ebay.com/ to https://signin.ebay.com/ when you sign in to eBay. The “s” in https:// stands for security, which means the website is safe.
Also, you can check to see if a website has been reported as a phishing website. If the website looks suspicious, left-click on Tools from the menu bar and left-click Phishing Filter/Check this Website. Microsoft will compare the website to a list of known phishing websites. If you believe the website is a phishing website, left-click Tools/Phishing Filter/Report this Website. Follow the on-screen prompts and left-click Submit.
If you believe that your account has been compromised due to a phishing attempt, contact the financial institution or company that holds that account and have your password reset immediately.