Some ask, “What exactly is phishing? Isn’t that just sitting in a boat and drinking beer?” Sadly, no. In a perfect world, we wouldn’t need to know about, nor protect ourselves, against phishing. Phishing is an attempt to STEAL your password. Most phishing attempts are websites designed to look just like another. Your bank, for instance, may be a potential phishing site. eBay and PayPal are common as well. They look just like the real thing, but instead of signing into your account after putting your password in it gives you an error message like “Due to technical difficulties, we can not sign you in.” or simply a white page. In the background, however, your password has been stored for someone to access it and use it against you and for their own personal gain. Here’s a typical phishing attempt:
I receive an email from eBay saying I won a bid for an item, let’s say an Xbox 360, for 20 bucks. Great deal, right? I click the link in the email and am presented with a page in my browser asking for my username and password. I try and sign in, it says that I have a bad password. Try again? Sure, I could have mistyped it. Nope… still not letting me in. Well, dang. Did I use a different password? I try all my normal passwords. Nothing. I click the reset password link, it says “Sorry! Due to technical difficulties we can not reset your password. Try again later.” Fine. I push it to the back of my mind, to be dealt with later.
Let’s think about this and derive how to protect ourselves from this attack.
1. I received an email, for an auction I did not partake in. RED FLAG. This is my first clue.
2. It’s a great item that I could easily get, but for much less than normal. RED FLAG #2. Xbox 360 for 20 bucks? Way too good to be true.
3. I clicked the link from the email, taking me to a page that looks like eBay.
4. I inserted my username and password, came back invalid multiple times.
5. I tried my other passwords that I may have used, thinking I was remembering the wrong one. The rest is pretty obvious.
Now, how to protect yourself from it. First, take everything in email with a grain of salt. Don’t believe it’s true. Secondly, if it seems too good to be true, IT IS. Third, never click a link that was emailed to you. If the email is true, just go to the site it proclaims to be by entering its address in your browser. Go directly to ebay.com and sign in there. If it’s important enough, the site will tell you on first login. If you feel there still might be a chance for a problem, most websites protect themselves with security certificates signed by Certificate Authorities recognized by big names. For instance, look at the following screenshots from Google Chrome:
Clicking that lock provides something to this affect. Tells us the details and some technical information. Note this certificate is signed by VeriSign, a reputable Certificate Authority.
Clicking Certificate information on the bottom left of the above screen gives the below screen. Note it restates that the certificate was issued to signin.ebay.com and by VeriSign.
This proves that it’s unmodified and as intended by the eBay company. The only way for this to still result in identity theft is if an attacker got into eBay, which is outside of your control and highly unlikely (so I’d hope). That’s for another article.
Lastly, NEVER send your username and password to people through email. I can be your Banks CEO if I word it just right through email.
I hope that this helps someone in understanding how phishing works and how to avoid it. Please comment with any other tips or feedback.