Gone phishing

In October 2009, there was a series of high profile phishing attacks on Hotmail, Gmail and Yahoo! Mail. Thousands of usernames and passwords were stolen, leaving a massive amount of personal data open for scrutiny and manipulation by criminals.

Even if you were one of the lucky ones whose account wasn't compromised, this kind of security breach is commonplace these days, so it could be you next time.

In this article we give you some tips on how to avoid phishing scams.

What is phishing?

Phishing is the criminal process of stealing someone's personal data online. This data can be anything from name and address to bank details to usernames and passwords.

It's called phishing because of it's direct correlation with fishing: the luring of prey with bait.

How can you get caught out?

The three potential ways to get caught by phishing scams are:

1. Clicking a dodgy link - either in a spam email or on a disreputable site. Either way, you could be downloading malicious software
2. Answering a telephone call - scammers call you directly and ask for your personal details
3. Responding to text messages - usually from an unknown sender

Just don't take the bait

If you see a link to something tempting, like free software or a funny photograph or a message from someone you may know, be careful, taking this bait means you may be falling for a phishing scam.

If someone telephones you unexpectedly, never tell them your bank details, passwords or anything remotely personal. Don't confirm or deny any questions they ask, even if you think it's completely harmless; it could be a phishing scam. Politely ask them where they got your telephone number and they usually hang up.

Responding to a text message, especially by clicking a link, is essentially confirming your details to the scammers, don't take the bait.

Silent scams

The most harmful phishing scams are silent ones which leave no trace, stealthily sneaking in behind your back and taking what they came for. These scams usually come in the form of a script, downloaded and installed on your computer without your knowledge and silently running in the background. An example is a key-logger, where everything you type into your keyboard, like website addresses, bank details, usernames and passwords, is logged and saved to a file, and sent to a remote server.

Scams you can detect

Other scams can be detected if you have your wits about you. An example is DNS pharming, where your browser is hijacked and redirects to a phishing site, usually by hacking your HOSTS file. For instance, you may have clicked or typed a link like www.hotmail.com but it redirects to www.hotmai1.com. Did you notice the difference between the two URLs? Not obvious is it? Look closely and you'll see that the phishing site uses a number one instead of a letter "L" (it's called a homograph phishing attack when characters in a URL are replaced with similar looking characters). If you went on to enter your username and password on the fake site, you've fallen for a phishing scam.

Top tips on how to avoid phishing scams

1. Keep your email address private. There's less chance of getting caught out in a phishing scam if the data snatchers don't know your email address. It follows then that you should keep all your passwords unique. Don't use the same password twice, if one account is compromised, then all accounts that use that password could be compromised.
   
   If you have trouble remembering all your passwords then use a password manager like KeePass
2. Use multi-factor authentication if possible. This means proving your identity beyond a simple email address and password combination. Other methods include a text message verification code, an authenticator app or a fingerprint
3. Look before you leap. Check every link before you click, especially links in emails. Find out where the link goes by hovering over it and looking at its location in the taskbar (that's the strip along the bottom of your web browser or email client - see image below).
   
   
   
   It's very easy for fraudsters to send you an email that looks like it came from your friend, bank or some other official business. So, before clicking through, make sure you treat all emails with the highest scepticism. Be particularly wary if you are asked to divulge your bank details (no bank will ever ask you to do that) or asked to log-in to a website
   
   
4. Be wary of file-sharing services. If you download files (illegal or otherwise) from peer-to-peer networks, then you run a very high risk of downloading a virus (like a key-logger). Once you give a virus access to your computer it could be like opening Pandora's Box
5. Check for secure pages. When purchasing goods online or logging into a website, make sure the page is fully encrypted. Look for the padlock and make sure the URL begins with https://
6. Upgrade your software. Make sure you are using the latest version of your web browser (we recommend Firefox) and have all the latest patches for your operating system (see Windows Update if you use a PC and How to update the software on your Mac) including the OS on your mobile telephone

Further reading

• Learn how to read a URL: Anatomy of a URL
• Anti-Phishing Working Group offers consumer advice on phishing
• Advice from Twitter about a phishing scam they discovered
• Have I Been Pwned - check if any of your email addresses have been exposed in a data breach. If they have, you are open for phishing attacks. Change the password for those compromised accounts immediately
• Google Safe Browsing: frequently asked questions about phishing
• Report suspected phishing attacks - UK only