Fermilab Computing Division
Search

Avoiding Phishing Scams

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access

 

Webopedia describes Phishing as ‘The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft’.

          In short, it is a method used to trick you into giving information which can be used for identity theft purposes. Almost everyone with an email address has probably seen these crafted emails posing as requests from eBay, PayPal, CitiBank, Credit Unions and others. The actual identity theft process is not just limited to tricking a user to click on a link and enter information from an email, but extends to other avenues such as crimeware, or malicious programs, installed by visiting malicious or compromised websites and other silently installed dangers on your computer which capture and relay personal information captured right from your keyboard.

          A typical Phishing email works like this. You receive an email reported to be from a business you may do associated with (such as a credit card agent). The email states that your account may be at risk for suspension or is locked for some unauthorized activity and you must click on the link below to remediate the problem. The link presented looks like a legitimate URL for your credit card agent, but in reality, points to a malicious site commonly hosted on other compromised machines. The web site presents a page which looks exactly like your credit card agents web site, and may even pull live content from the real web site, but after you enter your name, address and credit card information, that information is transferred directly to the scammer. The scammer may even return an error to you about invalid information, then will redirect you to the real credit card agents web site with you none the wiser. There are many tricks to prevent you from detecting the false web site from embedding images in the email to using encoding tricks in the web link. In all cases, the intent is to steal information from you that can be re-sold in the underground and abused to make fraudulent purchases, steal money from bank accounts and even create false identity documents.

          What you can do:

-         Don’t click on links in unsolicited emails. If uncertain, check with the sender to see if they really sent the email to you.

-         Banks and other merchants almost never send out emails asking you to verify your account information. Check with your merchant or agent on their policies. In all cases, it is best to visit the merchant’s main web page and navigate to the verification area yourself instead of clicking on the link in the email.

-         Use signed email for communications. You can use a DOEGrids personal certificate to sign your own email, and there are many free certificate services on the Internet to sign your personal email. Encourage those you communicate frequently with to do the same.

-         Verify the authenticity of the message with the merchant. Give them a call on the phone or send the message to one of their listed support contacts.

-         Check the received message against other Phishing reports at web sites such as www.antiphishing.org.

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)