UC Davis Information & Educational Technology

Bits & Bytes

New Graduation Requirement: Phishing 101

Posted on March 29, 2005

Can you spot a scam? You know that the exiled Guatemalan Prime Minister is not going to send you $8 billion if you forward him $2000 for �processing fees,� but is Washington Mutual really demanding that you confirm your account information because of possible fraudulent charges? If you�re tempted to submit your social security number, we�d like to suggest you enroll in Phishing 101 instead. Successful completion of this course requires only that you read the next 700 words. What could be easier?

What is Phishing?
The term �phishing,� first coined by hackers in 1996, refers to the process by which scammers use email or other �lures,� such as instant messages or chatrooms, to fish for personal information from unsuspecting computer users. This information includes bank account data, social security numbers, and other private info. America Online, eBay, PayPal, Earthlink, US Bank, and Washington Mutual are among the companies that have been targeted by phishers, and countless individuals have fallen victim to con artists who design intricate phishing schemes. If you learn to spot a scam, however, you can avoid spending incalculable hours undoing identity theft�hours better spent playing racquetball and grubbing pepperoni pizza.

Anatomy of a Phishing Email
Look for the following signs when you receive an unsolicited email

Authentic-looking logo
Mimicking a legitimate logo is as easy as cut and paste. Don�t let pretty pictures sway your good judgment.

Threatening tone
Don�t fall for distressing statements like, �Your account will be closed and you will be fined unless you act immediately.� Legitimate businesses don�t discuss such urgent matters over email.

Request for personal information
If the email asks for a lot of private information, like your social security number or bank account number, close it with keen determination and show the scammer who�s boss. Legitimate businesses won�t ask for this kind of information over email.

Misleading links
Using a process called �masking,� phishers create a link that appears to go to a legitimate site but actually takes you to a scam site. Before you click on the link, rest the cursor over it for a second to see where it really goes. If an address different from the one in the link appears, the sender is trying to hide something.

Spelling and grammatical errors
Phishing emails often contain grammatical and spelling errors; in fact, phishers sometimes do this on purpose to avoid getting caught by spam filters.

Message just doesn�t seem right
Use your sixth sense to spot email scams. If something seems phishy, trust your gut reaction. Find the company�s official number in the phone book and ask the business if the email is a scam.

Identifying a Phishing Web Site
Most phishers mimic legitimate Web sites hoping you won�t notice the difference. Once you�ve studied the list below, you�ll be certain to pass right by those hooks:

Unsecured Web sites
Don�t believe a big graphic that reads �SECURE.� When you�re at a genuinely secure site, there will be a small image of a locked padlock in the bottom right corner of the browser window frame. Also, the URL for most secure sites starts with �https,� instead of the unsecured �http.�

Deceptive URLs
It�s time for a pop quiz: Is the following Web site a phish? http://www.visa.com/?rDirl=http://200.251.251.10/. If you answered �yes,� move to the head of the class. While this URL appears to lead to Visa, the smart student will notice that there are two �http�s and that the second redirects you to a phishing site unrelated to Visa.

Sites without domain names
Most scammers mask their identity by giving an IP address�four sets of numbers separated by periods (e.g., 200.251.251.10)�instead of a domain name, such as �www.google.com.�

Browser and rendering errors
If your browser notifies you of browser or rendering errors, you should be cautious. Legitimate businesses rarely make such mistakes.

If you want to earn some extra credit, you can go to http://security.ucdavis.edu/101_phishing.cfm, where you�ll find examples of phishing scams.

A Bit of Homework
New phishing scams are produced faster than allergies in a Davis spring. Many of them use viruses to install a program on your computer that records your keystrokes, sending that information to the phisher. Apple and Microsoft regularly release updates and �patches� that help ensure your computer isn�t vulnerable to such attacks. Download these patches whenever they�re offered.

Have You Been Scammed?
If you think you have been scammed, take action as quickly as possible. Depending on the information you have given out, you may need to make a number of phone calls, contact credit card agencies, or close bank accounts. Visit www.antiphishing.org/consumer_recs2.htm for a list of the proper procedures to follow.
Want to take these phishers down? Go for it! Report fraudulent sites to the FBI�s Internet Fraud Complaint Center at www.ifccfbi.gov/index.asp.
Well, that concludes Phishing 101.To get an �A� in this course, all you need to do is avoid getting phished for the next four years. There�ll be no credits on your transcript, but you�ll have plenty of prestigious bragging rights about the ones that got away. And a lot of peace of mind.

This column is provided to you by the student writers of Information and Educational Technology. For questions and comments, please contact ietpubsjr@ucdavis.edu.

Bits & Bytes Archives

2006-2007

2005-2006

2004-2005

2003-2004