Twenty-five Simple but Effective Ways to Protect Yourself Against Phishing

Phishing is a form of confidence trick that scamsters use to try and get you to part with sensitive information. It started with attempts to gain access to bank accounts, but these days it can be an attempt to gain access to any accounts where money is stored or can be used to buy goods.

Various forms of phishing are also known as: carding, brand spoofing and web spoofing. The scammers are becoming increasingly sophisticated in their attacks and apart from the tried and tested method of embedding seemingly-innocuous links in emails that redirect the user to fake sites they also employ pop-up windows that encourage you to enter sensitive information, URL masks that conjure up real Web addresses, and keystroke loggers that are lurking around waiting to capture your user ids and passwords even as you type them.

Phishing is usually conducted using email and more often than not directs users to a website which is masquerading as a genuine site. The term phishing is a variant of fishing and alludes to the use of increasingly sophisticated lures to 'fish' for users' financial information and passwords. Indeed, recent phishing attempts have been targeting the customers of banks and on-line payment services such as PayPal. While the first such examples were sent indiscriminately in the hope of finding a customer of a given bank or service, recent research has shown that phishers may in principle be able to establish what bank a potential victim has a relationship with, and then send an appropriate spoofed email to this victim. This practice of targeted phishing being termed spear phishing.

There is a constant cat and mouse game between the fraudsters who perpetrate these swindles and the the security people who are hot on their heels. The good news, for the user, is that you don't have to be a tech-savvy geek to protect yourself from phishing attacks. As long as you have some basic information, know some tricks and keep your wits about you then you can keep yourself safe on the internet.

Here are twenty simple guidelines to help you:

1. Don't trust strangers. This is advice every child is given, but it apples just as well to everyone on the internet. If an email comes in from someone you don't know, do not even open it. Even better, set your email junk and spam filters so they only deliver mail from those people who are in your address book.

2. Don't trust email links. If an email manages to make it way through your spam filter and you accidentally open it, then don't click on any links. Even if you get an email from someone you think you know and the link might be suspicious, navigate directly to the site yourself, don't use the embedded link.

3. Protect your privacy. OK, so you clicked on a link in an email, and you are taken to a site that asks for personal details. DO NOT ENTER ANYTHING. Often these sites will use threats to try and get you to enter personal information. Just ignore these warnings and leave the site.

4. Use the Phone, Not the Mouse. If you get an email claiming to be from a bank or an utility company or the like, don't click on any links. If you have reason to believe it may be genuine, pick up the phone instead and call them to verify.

5. Use the keyboard, Not the Mouse. It you get an email claiming to be from on-line banks or companies like eBay or Amazon, these are frequently used by scammers. If the eMails do not address you by name, they are a scam. Even if they do address you buy name, do not click on the links in any email. Instead, type their web address directly into your web browser and check the information out that way.

6. Look for the Lock. Valid sites that use proper encryption to secure personal data transfer are characterized by a lock (typically on the bottom right of the browser, sometimes to the left of the input box (where you type in URLs or search terms)). Also check that the web page itself is secure. A secure web page begins with https:// rather than the more usual http://.

7. Learn to Spot the Difference. The fact that a website displays the encryption lock symbol does not necessarily mean that the site is authentic. Always double-click on the lock icon. This will bring up the security certificate for that site. Ensure that you check the name on the security certificate matches the name of the site on the address bar.

8. Check a Site Using Wrong Input. If you believe that you have accidentally gone to a spoof website, there is a very easy way to check this. Deliberately enter an incorrect password into the form they provide you. A genuine site will let you know that the password is incorrect and will let you try again. A spoof site will accept that password and, in all likelihood, will then redirect you to a page saying that they are having technical difficulties before asking you to try again later. Real sites have error trapping, fake sites do not, because they cannot.

9. Don't Replicate Passwords. Yes, I know, you are a member of umpteen sites and you can't remember the passwords for all of them. But, if you use the same password everywhere, then if your password is caught by one phishing attempt, all your accounts have been cracked. The rules are, use different passwords everywhere and replace your passwords often. Technology can help you though. Two Stanford professors have come up with software called PwdHash (for Password Hash) that scrambles any password you type, and then creates an unique sign-on for each site that you visit. Also ensure that you use STRONG passwords. A mix of uppercase and lowercase letters, numbers and symbols. For example V3ry~5tr0ng would be a 'very strong' password. Easy to remember, but not that easy to guess.

10. Keep Aware, Keep your Eyes Open. Most spyware type spam emails are written by those who do not have English as their first language. They are typically littered with typographic and grammatical errors. They may even be written in ALL CAPS. Teach yourself to recognize such emails, then report them as spam.

11. Familiarity Breeds Awareness. Learn to reconize spam and phishing type emails. They are typically all written and framed in similar styles. Once you have seen a few, you can easily spot them. There are lots of websites out there that maintain examples of spam, phishing and general scam emails so you can familiarize yourself with them.

12. Scammers Love Greed. I am certain that you have heard the phrase 'if it's too good to be true, then it probably is' applied to confidence tricks of all kinds. Well, the same is true in the internet world. It someone promises to give you money for your personal details, or if there is an offer that's too good to be true, then these are most probably scam-type emails.

13. Secure your Computer. Never, ever, leave your computer logged on and unattended. Always log out from any site that you are logged in to and either lock or shut down computer before you leave. Don't make it easy for identity thieves.

14. You can Never be Too Careful. If you have an on-line bank account or credit cards, log on to the account on a frequent basis. This way you can check for and spot any suspicious activity before you are cleaned out.

15. Even a Little Knowledge is a Good Thing. When it comes to phishing and other internet scams, a little knowledge is always a good thing. The more you know, the more you can protect yourself. Always keep up with the latest news.

16. Dispose of Old Computers Properly. We all keep so much personal information on computers. If you are selling or disposing of an old computer, make certain that it has been completely erased first. Erase the hard drive several times then re-install a fresh copy of the operating system before giving it away. This rule also applies, increasingly, to smartphones.

17. Use Verifiable Email Systems. Just like websites, emails can be spoofed. However, if you use email clients that support S/MIME digital signatures you can check that both the sender's address is correct and you can then verify their digital signature. This is a very effective anti-phishing methodology.

18. Keep up to date. Ensure that you software, particularly operating system, antivirus and email software is always up to date. This gives you the latest bug fixes and protects you from the latest viruses and trojans.

19. Maintain a Firewall. Always ensure that your computer and home network are protected with antivirus software and firewall software. This will prevent you from being infected with Trojans and keyloggers and will stop anyone from accessing your computer remotely.

       

20. Use Dual-level Login. If you are logging on to a sensitive site, it is best to use a dual combination of login methods. A password and remote verification of a pin number or your ATM card, for example. This makes it doubly hard to crack an account.

21. Using Tokens. Consider using ad ID Vault USB Token. This encrypts all user IDs and passwords, storing them on a flash drive. This drive can then be used to securely log onto various websites. These tokens also come with a list of legitimates sites and help to prevent key-logging software from working effectively. The USB Vault itself is password protected, so thieves have to crack this device as well as users' own passwords.

22. SPYBLOCK. Developed by the same Sanford professors who also developed PwdHash, this tool helps prevent Trojan horse keyloggers from stealing passwords.

23. Extend your Browser. Browser extensions like Antiphish used as a plug-in by Mozilla's Firefox offer protection against phishing attacks by maintaining LISTS of passwords and other sensitive information, and issuing warnings when users type this information on fishy sites.

24. Sender ID Famework. This is new technology that is in the pipeline from Microsoft and CipherTrust. This fights against spoofing websites by verifying the source of each email.

25. Delayed Password Disclosure. Also referred to as DPD, this technique protects against pop-up windows that ask for sensitive details (known as doppelganger window attacks), works against phishing attacks when users enter passwords letter by letter, one following the other only after a corresponding image is recognized.

And just because we are all moving to wireless in our homes, here is an extra security precaution.

26. Protect your Network. Always password protect your network with a strong password. This protects your wireless network and the computers on it from being hacked from outside. Turn off your network when you are not using it, particularly at night.

When it comes to phishing, ignorance is never bliss. The more you know, the more chance you have of having the right level of awareness to be able to protect yourself.

Learn more and keep yourself safe on the internet. The truth is that the thieves can only continue their phishing attempts because there are gullible people who falls for it. The more people who know the warning signs and know how to protect themselves, the more unlikely they are to be taken in.