How to avoid online phishing

We’ve all seen them, and we’ve all probably received one. The so-called 419 scam – named after the article of the Nigerian penal code that deals with fraud – is perhaps the most infamous of all phishing scams. It offers the recipient untold wealth, if only they’d allow an even larger sum of money to rest in their bank account temporarily on its route out of a distant nation – oh, and of course, to wire over a small amount to cover the sender’s expenses.

It might sound tempting, but the reality is that no one, not even a desperate prince, is going to give you money for nothing. PhishTank, a collaborative clearing house for information about phishing on the internet operated by OpenDNS, had registered 1,198,703 verified phishing sites at the time of writing, of which 12,143 were still active.

Google is going one step further and actively flagging suspected phishing sites in users’ browsers. “We’re currently flagging up to 10,000 sites a day,” wrote Lucas Ballard, Google Software Engineer in June 2013, “and because we share this technology with other browsers, there are about 1 billion users we can help keep safe.”

How to avoid online phishing

We still can’t afford to be complacent, though. Figures released by RSA’s Anti-Fraud Command Centre indicated that in 2012, the UK was the number one victim of phishing scams, with losses of over £405m from close to 250,000 individual attacks.

That was an increase over the previous year, in a period when figures for Canada and the US declined.

Far from the real deal

Increased public awareness means that phishers have to resort to subtlety. The US Internal Revenue Service (IRS) is posting advisories to its website warning American taxpayers that scammers, passing themselves off as the IRS were hooking recipients with phony tax cuts and rebates.

IRS Commissioner Doug Shulman called it “a disgraceful effort by scam artists to take advantage of people by giving them false hopes of a nonexistent refund.”

Its UK equivalent, HMRC, maintains an extensive list of spoofed email addresses frequently used by phishing operatives making similar claims over here, with such likely candidates as service@, secure@ and customs@hmrc.gov.uk all in circulation – and all fraudulent. Bookmark HMRC’s webpage listing addresses used by scammers, and check that any addresses that you might receive future emails from HMRC don’t appear on its updated list.

How to avoid online phishing

Phishers often go to great lengths to make their emails look like the real deal. Don’t be fooled into thinking that just because an email includes logos from HMRC, your bank or PayPal that it’s been anywhere near those organisations’ servers.

Watch out for clues, like spelling mistakes or grammatical errors that would less likely be made by a native speaker, as these too could indicate that the message might have originated from overseas.

Be wary of emails that are too familiar (tax authorities and credit card companies are unlikely to open an email with ‘Greetings’ or sign off with ‘God bless’), or ask for too much information.

How to avoid online phishing

Online banks will never ask you to provide your password or username, sensitive data such as maiden names or other login credentials. They usually confine sensitive communications to secure messaging areas within the account management screens that can only be accessed after logging in with a username and password, so don’t trust emails that appear to include a lot of sensitive financial data.

Be wary of emails purporting to come from your bank that incites you to click a link to access its site; phishers use this tactic to present an apparently genuine login page, which they use to harvest your access credentials. Even if you believe the email is genuine, open a new browser window, type your bank’s URL and follow the links to find the page you need.

Not all phishing scams immediately look like they’re after money or credit card details – some are simply designed to win your custom without you realising that you’re leaving an existing supplier. Less reputable domain registration agents are among those who might write to the owners of domains approaching expiry, inducing them to click a link and renew their online property.

Rarely do they explain in anything but the smallest print that doing so will shift the domain away from your original registrar to themselves, leaving them free to apply new terms and conditions and potentially charge a higher price, either immediately or in the future.

How to avoid online phishing

It can take up to a month to transfer a domain from one registrar to another, so be suspicious of emails of this type that arrive well in advance of your current registration period expiring – it’s a sign that you’re not dealing with your existing host.

If in doubt, log in to the domain management system of your existing provider and renew your domain there.

What to do next

First of all, don’t even think about clicking any links in a scam or phishing email. That’s the golden rule. Then, wherever possible, you should report it to any affected parties and in particular any organisations that its senders may be attempting to spoof.

We live in a world now where most banks and other financial institutions have dedicated email addresses to which you can report phishing scams (for HMRC, for example, it’s phishing@hmrc.gsi.gov.uk). Type the organisation’s name followed by phishing into Google, and the result you’re looking for will almost always be in the top spot.

Forward the email in its entirety to the reporting address complete with its full headers, because these show the route that the message took to reach you, which can be useful digital forensic evidence. Most email clients suppress these for clarity by default, but you can usually expose them by clicking a small arrow near the subject line of the email.

Usefully, you can report phishing and spam emails directly in Gmail by picking those options from the Reply menu attached to each message.

 

Related