How to avoid phishing

  • Published
ROYAL AIR FORCE LAKENHEATH, England --  Your bank account has been frozen! The preceding statement has been received by many personnel in an attempt to fool the user into providing bank information, including user names, personal identification numbers and passwords.

All personnel need to remember that banks will never ask for passwords or personal information via email. Even though these Web sites look legitimate, don't be fooled. Type in your bank's Web site address in the address bar to ensure you are going to the correct Web site. Once there, look at the address bar to ensure it is legitimate. Sometimes even the smallest of differences are overlooked, like www.usaaa.com versus the correct address of www.usaa.com.

Avoid clicking on links in e-mails; especially unexpected warnings, requests for users to upgrade software and messages with spelling errors. Always be suspicious of requests for personal information. Most banks or companies will not request personal information via e-mail.  According to the National Fraud Information Center the most common form of phishing emails appear to be from a legitimate retailer, bank, organization or government agency.

In the phishing email the sender often delivers shocking and commonly frightening news in order to trick an unsuspecting user into action. However, remember that a legitimate company will never ask you to download a program or enter personally identifiable information (PII) in an email.

Fraudsters normally gather PII by fooling unsuspecting victims into clicking on links that can lead to spoofed Web sites that appear to look just like a legitimate company, organization or agency. Also, never enter personal information on a Web pop-up screen. Often times you might be on a legitimate site where one of these screens may pop-up asking for PII. Again, legitimate companies do not ask for information in such a manner. Pop-up blocking software can help prevent attacks of this nature.

Another technique often used is pharming, or using malware installed on the host to hijack your Web browser. When a legitimate address is entered the malware redirects you to a spoofed site. Any information entered in the site will be stolen. Ensure your computer is equipped with layered defense, to include spam filters, anti-virus, anti-rootkit, anti-spyware and a firewall. Follow these simple rules to avoid phishing campaigns:

Stay alert. Know what is in your inbox, don't open any old email. If you don't know the sender, be overly suspicious.

Don't let emails frighten you. In most cases an email will not be the source of legitimate good or bad news. Read the email carefully and don't be easily duped.

Don't share information through email. A legitimate company should have the PII they need. Call the company help desk and ask for clarification if necessary.

Ensure you are secure. Look for "https" and the security symbol of a pad lock in your browser. If you're not secure, don't enter information.

Never click on links within emails. If an email requests verification or further information, find the website yourself, ensure it is the correct site and verify that it is secure.

Never open mysterious attachments. Attachments can be laden with malware that can infect your computer.

Use layered defense. Utilize up-to-date spam filters, anti-virus, anti-rootkit, anti-spyware and firewalls.

The ability to understand a phishing email gives you the power to fight against it. A cyber criminal counts on the shock and awe factor, convincing you into action. A legitimate company will never ask you to download a program or enter PII through email communication. Phishing is a continuous and increasing threat, but by remaining cognizant and following a few simple rules we can greatly decrease the success of phishing campaigns and the theft
of PII and valuable information.