I often receive phishing emails, mostly claiming to be from PayPal, ICICI or similar sites where money involved. Yesterday, I received an email claiming to be from PayPal. Of course, I didn’t fall for it, but it looked so genuine that I thought about sharing few simple rules which I follow for my own safety.
Rule 0: Be Skeptical
Please remember, your credit-card and other banking information such as login ID, passwords, ATM PIN, etc are very sensitive data. So always be skeptical when someone ask them to enter it.
Don’t look at why they are asking your data, just care about what data they are asking!
Rule 1: Always Look at Link URL before Clicking
Thanks to HTML, any text can point to any website.
Ok now how to look at the link URL before clicking it?
Most standard browsers show actual link URL in status bar when you point your mouse to the linked text.
As shown below, if you just point your mouse to Get Verified text, you can see a link not pointing to paypal.com.
Make this URL checking part of your habit as this will save you from lots of troubles in future.
One more example I would like to share is: http://www.yahoo.com. If you noticed it, its pointing to Microsoft’s website. Yes, text which looks like URL itself, can point to any other URL in background!
Rule 2: Check Email Headers for Actual Sender
Most people don’t know that FROM field in emails can be changed by sender. I can send you email from bill@microsoft.com. The technique is called email forging and is used in almost all phishing emails.
So how to check if email you received is not forged? Most trusted method is to check email headers. But email headers are quite long and complex, so checking them manually is pain. Also technique differs slightly for each email service providers.
I use Gmail and on Gmail things are always easy. So whenever you receive a mail on Gmail, look for show details option.
When you click on it, first line will be expanded and you will see a mailed-by line as shown below…
Now this is quite different compare to paypal.com. Moreover a signed-by line is completely missing! Emails by large organizations also have a signed-by line which protect them against misuse of their domain name. Now have a look at a genuine email from PayPal…
If you are on Gmail, use can use this show details option to verify sender of email. I don’t know about its counterpart on Yahoo or Hotmail, but if you know it, please share.
Rule 3: Use Google Toolbar or any other anti-phishing technique/filter
Yes, Google Toolbar is not just for making your life easier while using Googles’ services. It comes with built-in anti-phishing filters which warns you whenever you open malicious sites.
Following is screenshot of Google Toolbar warning when I opened site pointed by Get Verified text as discussed in Rule 1.
Google Toolbar gave me almost 100% protection against phishing sites. Still if you just don’t like Google Toolbar, you can still use Google search to find a good anti-phishing filter for free!
Rule 4: Use a secure browser like Firefox
All major services authenticate users over secure channels. Even services which uses unsecure channels normally, process login pages via secure channels. Some famous examples, Gmail, Facebook
, Orkut, Yahoo. While banking sites are normally use secure channels through-out the session.
A small difference between secure and unsecure channels is, secure URL stats HTTPS while unsecure starts with HTTP. Note the missing ‘S’. (Read more on HTTPS)
Now when you encounter a genuine login page in browser like Firefox, you can note following changes…
* Navigation bar background changes to yellow. Also a lock icon is shown indicating a secure site. Here you should also check domain name, which we often overlook.
Status bar also shows lock icon along with domain name for which digital certificate is issued.
These two things can not be forged so look at them whenever in doubt.
Rule 5: Report Phishing…
Great you saved your ass. Its time to save others’ now… ;-)
Gmail users can simply use Report Phishing option as shown below.
Rest if you have free time and energy, you can report phishing to authorities.
This rule is important as anti-phishing filters uses sites user report as phishing. So more you contribute, better security we all get… :-)
Remember, phishing is a serious crime and creating a phishing site can easily put you behind the bars. On the other hand, if you become victim of phishing somehow, you can not sue your bank or service provider for compensation. They have made it clear in their terms of service (ToS) which nobody reads!
Its your responsibility to fight for yourself. Others at the most can help you. Don’t expect more! :-)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment