form of data theft, targeting possible clients of ISP companies, banks,
online banking services, government agencies etc.
When submitting your email address on the Internet, filling in
online forms, accessing newsgroups or websites, your data can be stolen
by Internet crawling spiders and then used without your permission to
commit fraud or other crimes.
Phishers develop counterfeit webpages, which imitate the corporate
image of well-known, trusted service providers. Then, using collected
or random generated email addresses, they "throw the bait".
message with a credible subject is sent by email or instant messenger,
asking for confidential data, inviting you to access a website ( 'Click Here'
link; URL link; Image link; Text link) or even to fill in a form in the
email itself. It looks like a plausible request and it even comes with
a dire consequence, to get your immediate reaction.
Examples of email subject:
"Update Your PayPal Account"
"Your eBay User Account has been suspended!"
The required information is usually:
$ Credit card number;
$ ATM PIN and TAN number;
$ Bank account information;
$ Social Security Number;
$ Email accounts;
$ Other personal information.
Once entered, the user's information is no longer confidential and
it is immediately used by the fraudsters in their own interest. It is
usually very difficult to get the money back, as the phishing sites are
generally online for a few days or even just hours.
The main method is using a trustworthy-looking email, which tries to
lead you to a fake web page. Some phishing emails contain an
application or order form directly in the message body. You should know
that officials will never send you an email containing a form or asking
for personal information.
On the fake website you might notice that the URL is not the correct one. Still, there are ways to fake the URL:
- Social engineering:
The URL is very similar to the real one and you might just notice this on the first view. For example the real URL http://www.volksbank.com can be faked with http://www.voIksbank.com . If you think they are the same – not true! The lower case ‘l’ letter is replaced with the upper case ‘i’ letter.
- Browser vulnerabilities:
The fake website may contain a script to exploit your browsers. In this
case, the real URL is displayed, but the content of the web page is the
one from the fake server. One example is to display a fake picture on
top of the browsers real address bar. You can not ‘click’ in the bar’s
input field to mark the URL. Other exploits allow a fake input field
displayed on top, so it will be even possible to click into the field
and mark the URL.
- Pop up’s:
The link in
the email points to the real website, but another browser window is
displayed in front. Practically you can browse the real website without
risk, but don’t get tricked by the second window. Those pop up's
usually do not have an address bar to help identify a fake website.
- No address bar:
Some fake sites do not display the address bar at all and unless you specifically look for it, you might not notice this.
There are other techniques, apart from playing with the address
bar, which can be used in addition or stand-alone, to get access to
- Other browser vulnerabilities:
vulnerability in your browser can be used to download and execute any
malicious software. Such malicious software may be a Trojan that
records all keystrokes and monitors all Internet traffic, especially
when you are going to enter and submit data in an online form.
Also known as “domain spoofing”,
it is used to redirect the users to a fake website. Although you type
the correct URL in your browser, you are redirected to a fake website.
The correct URL remains in your browser, without change. In order to
accomplish the redirection process, the name resolution has to be
modified. This can be done either by changing the TCP/IP protocol
settings or by an entry in the hosts file.
- Man in the middle:
Probably the most sophisticated method, as nothing has to be changed on
the local computer. The phisher is located in between and redirects
your connection to a fake server.
The phishing website might use other tricks such as:
- Forged tooltip,
- Right-click inaccessible.
Phishers avoid being detected by antispam/ antiphishing programs using:
- Random letters or famous quotes in the subject or in the body of the email;
- Invisible text in HTML emails;
- HTML or Java content instead of plain text;
- Pictures only (no other text in the email body).
As the phishers can use so many techniques and can even combine
them, it is rather difficult to tell if an email request comes from
officials or not.
What are the consequences of disclosing confidential information?
$ The phishers can run up charges on your account.
$ They can open new accounts, sign utility or loan contracts in your name.
$ They can use a false ID and commit crimes using your personal information.
Do not bite the bait!
- Do not fill in email forms concerning confidential
information. Any trustful service provider uses secure websites and
- Do not click on links provided by
email, especially if you were not expecting that email. Contact the
sender to verify if it was his/her intention to send this email (use
the contact number the company gave you, not the one in the email).
not reply. Delete the message and check with the real company (use the
contact number the company gave you, not the one in the email).
- Do not click to follow the link provided in such a message. Type the address in the browser yourself.
Repairing the damage caused by phishing may be frustrating and
time-consuming. Apart from the loss of productivity and use of network
resources, data theft requires considerable efforts on your part: you
will have to rescue your identity, property and rights and to clear
It is much easier to follow some basic safety rules:
- Update your operating system with the latest patches as soon as they appear.
- Alternate Internet Explorer with other browsers.
- Use antivirus and firewall solutions and keep them permanently up-to-date.
- Always type the URL yourself instead of following a link.
- Make sure you are using a secure website (HTTPS) and check the digital certificates.
- Regularly check your accounts and statements and immediately report any abuse.
- Report suspicious emails to security companies and authorities from your area.
You can send suspicious messages to Avira’s report addresses: