The University of Texas at Austin

Security Awareness

ARCHIVED ARTICLE

This article has been retired from circulation and is no longer being updated or maintained. The information contained in this article may be innacurate and outdated. Please refer to our articles page for a list of current topics.

Phishing: Cute Name, Ugly Consequences

Protect yourself and your accounts with tips to avoid an e-mail “hook.”

The latest, most dangerous, and, well, slippery threat encountered online these days is a new form of spam called “phishing.” Designed to steal credit card numbers, passwords, and account information, phishing scams are out to trick unsuspecting victims into disclosing valuable personal data through phony e-mail messages. Will you know what to do when a shiny hook shows up in your in-box?

What’s phishing?

It’s very similar to the sport it’s named after. Basically, the idea behind phishing (pronounced “fishing”) is that bait is thrown out with the hopes that, while most will ignore it, some will be tempted to bite. When a user does take the bait, the consequences are often dire. In Internet terms, the bait is an e-mail message sent to users under the guise of a trustworthy, legitimate sender. Often these messages will appear to be from a friend, a bank, or some other valid sender. The e-mail message contains instructions asking the user to offer personal information such as user names, passwords, Social Security numbers, bank account numbers, or credit card information. They might also direct users to a phony Web site designed to trick users into providing their personal banking information or even the information needed to steal a user’s identity. These messages usually ask users to “update” or “confirm” their information. They also try to send messages designed to alarm or scare users into quickly responding by making upsetting – and false – statements.

Phishing is a prime example of “social engineering.” Social engineering refers to either a human interaction, a malicious computer program, or any other direct communication such as a meeting, a phone call, or fax, that is created to obtain otherwise secure data by tricking users into revealing their confidential information. For example, someone reading their e-mail may be tricked into revealing a password or bank account to an e-mail sender posing as a reliable service or friend. The social engineer can then use that bit of information in conjunction with other data that has been gathered to find a way into that person’s computer, network, or bank account. There are many awareness campaigns out there warning people to the dangers of sharing confidential information online, but phishing scams continue to dramatically increase in number, sophistication, and victims.

How can I protect myself against Phishing?

The following tips may help you to avoid a phishing scam:

  • Be suspicious of any e-mail message containing urgent requests for personal financial information. If you are unsure about a message’s authenticity, never click a link within that e-mail message taking you to any Web page. “Phishers” can make a link look like it will take you to a legitimate Web site, when it really sends you to a different, unauthorized site.
  • Keep in mind that lawful companies, especially banks, will never contact you to request this information through an e-mail message or on the Internet. When you choose to do business with a company, make sure you find out up front how they will communicate with you, and check their Web sites regularly. They list the latest scams that target their customers and provide helpful information on avoiding phishing scams. They may also have ways for you to report suspicious e-mail.
  • If you are unsure about a message’s content or if you’re concerned about any of your accounts, phone the referenced organization or company instead of responding over the Internet.
  • If you must submit credit card or other private information over the Internet (and you should try not to), make sure that you're using a secure Web site. To make sure you're on a secure site, check the beginning of the Web address - it should read "https://" rather than just http://.” However, no indicator is foolproof. Some new phishing scams have found ways to forge security icons.
  • One security icon is the “closed lock” icon found in the lower right-hand status bar of a secured browser window. The closed lock icon signifies that you are on a Web page that is encrypted to protect any sensitive, personal information you may enter. This symbol doesn't always appear on every page of a site, only on those pages that request personal information. Be aware that the lock symbol is often faked by phishing con artists. To confirm the icon’s authenticity and ensure your safety, double-click on the lock icon to display the security certificate for the site. The name following Issued to should match the name of the site. If the name differs, you may be on a fake site.
  • Regularly check your bank, credit and debit card statements to make sure that all of your transactions are accounted for and genuine. If anything is suspicious, contact your bank and all of your credit card companies immediately.
  • Use anti-virus software and a firewall, and keep them updated. These tools scan and, if necessary, block incoming communications from unauthorized or suspicious sources.

What if I suspect I’ve fallen for a phishing scam?

If you believe you’ve already been hooked by a phishing scam, take the following steps to minimize any potential damage:

  • Report the incident to your credit card company, if you have given out your credit card information. They will be able to track any unauthorized activity on your account based on the information you give them.
  • Report the incident to the organization or company that was forged by the phishing scam. Contact them directly, not through a response e-mail. You may choose to call them instead of contacting them online.
  • Change your passwords. If you’ve provided passwords or logged them into a site you suspect may be a fake, change your passwords. Make them as strong as possible. Make them seven to eight characters long; use upper and lower case letters. If possible, incorporate numbers and symbols.
  • Notify the authorities. The Internet Fraud Complaint Center (IFCC) and the Federal Trade Commission are two organizations that work to stop phishing, spam and other online abuses. Links for these organizations may be found at the bottom of this article.

Learn more

The following external sites provide further tips and information on phishing:


Sources: Anti-Phishing Working Group, Federal Trade Commission, Microsoft.com.