Phishing is a way of persuading Internet users to give up sensitive information such as usernames, passwords and credit card details. The scammers masquerade as a trustworthy entity in an electronic communication. The attacks typically combine spam e-mail that looks like a trustworthy message that lures victims to fraudulent Web pages that look like legitimate sites.
Any online service that uses a simple username and password can be hacked using a phishing scam. Phishing is an example of social engineering techniques that deceive users and exploits weaknesses in the security of e-mail and Web sites that make it easy for scammers to pretend to be someone they are not. The first phishing technique was described in detail in 1987 and the first recorded use of the term “phishing” was made in 1996, according to Wikipedia.
Attackers sometimes resell the credentials or use the information to send spam. You may have seen spammy messages that come from your friends’ accounts. It is likely that their accounts were hijacked because they fell for a phishing scam. I have seen examples of this with Yahoo Mail accounts, Earthlink, Twitter and many others. Phishers are now also targeting mobile devices.
If not for purposes of reselling credentials or spamming, attackers may be more targeted and seek to get access to the accounts of specific people. This is often referred to as spear phishing and it appears this was the case in the attack reported by Google on Wednesday.
A large part of the problem here is what we call “layer 8” – the human problem. Unfortunately it is very easy to trick unsuspecting Internet users to click on links and enter their credentials or to open malicious files that capture their every keystroke. Technology can be part of the solution, but user awareness and education has to be part of it as well.
Google has implemented security measures such as checks that identify what computers a user typically logs on from and where the login comes from including alerts when a different computer or location is used. Facebook has similar features and so do many online banks, for example.
Google also now offers two step verification, a feature that uses a phone and a second password to sign in to a Gmail account. These types of authentication features are already being used by banks and other high security online services. With the sensitive communications that are often done via email, it makes sense to properly secure email too.
What can you do to prevent falling victim to a phishing scam?
- Use the security features offered by your online service providers
- It is always important stay alert and have some level of paranoia when using the Web, especially when you’re about to enter personal information into a Web site
- Don’t click on links in email messages
- Double check to see if a Web site is legitimate before entering personal information. Hints that you’re on a bad site include a different address than normal in the address bar and a slightly off site design
- Remember to keep your security software up to date, products such as McAfee’s security suites will protect against phishing Web sites
- Keep your operating system and applications up to date to prevent exploitation of security holes