Gone phishing

In October 2009, there was a series of high profile phishing attacks on Hotmail, Gmail and Yahoo! Mail. Thousands of usernames and passwords were stolen, leaving a massive amount of personal data open for scrutiny and manipulation by criminals.

Even if you were one of the lucky ones whose account wasn't compromised, this kind of security breach is becoming commonplace these days, so it could be you next time.

In this article we give you some tips on how to avoid phishing scams.

What is phishing?

Phishing is the criminal process of stealing someone's personal data online. This data can be anything from name and address to bank details to usernames and passwords.

How do people get caught out?

The two ways to get caught by phishing scams are:

• Clicking a dodgy link - either in a spam email or on a disreputable site
• Downloading malicious software - very often just by visiting the phishing site

It's called phishing because of it's direct correlation with fishing: the luring of prey with bait.

Don't take the bait

If you see a link to something tempting, like free software or a funny photograph or a message from a someone you may know, be careful, taking this bait means you may be falling for a phishing scam.

Silent scams

The most harmful phishing scams are silent ones which leave no trace, stealthily sneaking in behind your back and taking what they came for. These scams usually come in the form of a script, downloaded and installed on your computer without your knowledge and silently running in the background. An example is a key-logger, where everything you type into your keyboard, like website addresses, bank details, usernames and passwords, is logged and saved to a file, which the data snatchers come back for later.

Scams you can detect

Others scams can be detected if you have your wits about you. An example is DNS pharming, where your browser is hijacked and redirects to a phishing site, usually by hacking your HOSTS file. For instance, you may have clicked a bookmark or typed in a website address like www.hotmail.com but it redirects to www.hotmai1.com.The difference between the two URLs? Not obvious is it? Look closely and you'll see that the phishing site uses a number one instead of a letter "L". If you enter your username and password on the fake site, you've fallen for a phishing scam.

8 tips on how to avoid phishing scams

1. Look before you leap. Check every link before you click, especially links in emails. Find out where the link goes by looking at it's location in the taskbar (that's the strip along the bottom of your web browser or email client - see image below).
   
   
   
   It's very easy for fraudsters to send you an email that looks like it came from your bank or some other official business. So, before clicking through, make sure you treat all emails with the highest scepticism. Be particularly wary if you are asked to divulge your bank details (no bank will ever ask you to do that) or told to log-in to a website
2. Keep your email address private. There's less chance of getting caught out in a phishing scam if the data snatchers don't know your email address
3. Be wary of file-sharing services. If you download files (illegal or otherwise) from peer-to-peer networks, then you run a very high risk of downloading a virus (like a key-logger). Once you give a virus access to your computer it could be like opening Pandora's Box
4. Keep passwords unique. Don't use the same password for all your accounts. If one account is compromised, then all your accounts could be compromised. If you have trouble remembering all your passwords then use a password manager like KeePass
5. Check for secure pages. When purchasing goods online, make sure the page is fully encrypted. Look for the padlock and make sure the URL begins with https://
6. Upgrade your software. Make sure you are using the latest version of your web browser (we recommend Firefox) and have all the latest patches for your operating system (see Windows Update if you use a PC)
7. Use AntiVirus software. There's plenty of top quality, free software out there like AVG (incorporating their useful LinkScanner software), Avast, Microsoft Security Essentials and CCleaner. Also, make sure you have a firewall, like ZoneAlarm or Comodo installed
8. Alexa Rank. Using the SearchStatus Add-on for Firefox you can check what a website's Alexa Rank is (it appears in the taskbar of your web browser - see image below).
   
   
   
   You can hover your mouse over the blue bar. The bigger the blue bar, the greater the Alexa Rank, therefore, there more likelihood that the site is genuine. For example, Doepud (usually) has an Alexa Rank around the 500,000 mark. Gmail has the greatest rank (number one) and Hotmail is ranked fifth. These numbers reflect how popular a site is, so it's a fairly safe measure to use.
   
   IMPORTANTLY: a phishing site will probably be unranked or have a very poor rank (in the millions)

Further reading

Need some more info on phishing? Check this links out:

• Learn how to read a URL: Anatomy of a URL
• Anti-Phishing Working Group offers consumer advice on phishing
• Advice from Twitter about a phishing scam they discovered
• Hacked web mail accounts used to send spam - details on the high profile phishing attacks on Hotmail, Gmail and Yahoo! Mail in October 2009
• A New Type of Phishing - even the web savvy get caught out

Email

Got a question? Send us an email, we're here to help.

Office

+44 (0) 1997 414710

Mobile

+44 (0) 7761100661

Skype

blairmillen

Address

Doepud
Myrtle Cottage
Garve
IV23 2PX