What is Phishing and Pharming?
What is Phishing&Pharming?
Phishing is a popular and growing method of identity theft, typically performed either through email or through the creation of a Web site that appears to represent a legitimate company. Victims are asked to provide personal information such as passwords and credit card numbers in a reply email or at the bogus Web site.
While previously phishers targeted mainly larger financial institutions, these criminals are now moving into new areas constantly including credit unions, hotels, and insurance companies.
“Spear phishing” the practice of targeting an attack to a specific group is gaining in frequency.
Pharming is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent Web sites without their knowledge or consent. Pharming has been called “phishing without a lure.”
The Federal Trade Commission reports that identity theft now affects more than 10 million people every year representing an annual cost to the economy of $50 billion. The Anti-Phishing Working Group reports that the frequency of these phishing attacks increases 24% every month.
Phishing schemes that are not identified and shut down can bring on devastating financial losses and significantly harm consumer trust.
The Phishing Lure
Here’s an example of how phishing works. On Nov. 17, 2003, many eBay Inc. customers received e-mail notifications that their accounts had been compromised and were being restricted. In the message was a hyperlink to what appeared to be an eBay Web page where they could re-register. The top of the page looked just like eBay’s home page and incorporated all the eBay internal links. To re-register, the customers were told, they had to provide credit card data, ATM personal identification numbers, Social Security number, date of birth and their mother’s maiden name
The problem was, eBay hadn’t sent the original e-mail, and the Web page didn’t belong to eBay — it was a prime example of phishing.
In September 2003, the Federal Trade Commission reported that 9.9 million U.S. residents have been victims of identify theft during the past year, costing businesses and financial institutions $48 billion and consumers $5 billion in out-of-pocket expenses.
In an online interview in July with The Washington Post, J. Howard Beales, director of the FTC’s Bureau of Consumer Protection, said ID theft is the No. 1 complaint his organization receives, accounting for 43% of calls.
According to the Anti-Phishing Working Group, an industry organization started by Redwood City, Calif.-based Tumbleweed Communications Corp., most major banks in the U.S., the U.K. and Australia have been misrepresented to customers during phishing attacks.
Cutting the Line
Even before phishing became so prevalent, legitimate businesses and financial institutions would hardly ever ask for personal information via e-mail. If you receive such a request, call the organization and ask if it’s legitimate or check its legitimate Web site.
Look for misspellings and bad grammar. While an occasional typo can slip by any organization, more than one is a tip-off to beware.
If the e-mail refers you to a Web site, look carefully at the URL. It’s easy to disguise a link to a site. Beware of the @ symbol in a URL. Most browsers will ignore all characters preceding the @ symbol, so this Web address –
http:// www. respectedcompany. com @ thisisascam. com minus the spaces — may look to the unsuspecting user like a page of Respected Company’s site. But it actually takes visitors to thisisascam.com. The longer the URL, the easier it is to conceal the true destination address. Other ways to disguise URLs include substituting similar-looking characters, so that paypal.com could be (and has been) spoofed as paypaI.com or paypa1.com. Similarly, a zero can be substituted for the letter O within a URL.
Hope this helps
Kyle
Security
