That’s not a typo in the headline. Phishing is the process of attempting to gain information through deception. It uses email and fake web sites to get you to unknowingly provide information to a criminal.
Common methods of phishing include receiving emails that appear to be from banks, other institutions, or online retailers saying that you must change your password due to a security breach or a change in procedures.
Here’s an example:
We have noted that there have been several attempts to access your [credit card name] account from a foreign company. We recommend that you immediately change the password to ensure your account security. Please click on the link below to access your account and change your password.
We apologize for this inconvenience but are working to ensure your money is well protected.
Security Manager, X Company
Click here to access your online account.
There will be a clickable link near the bottom of the message and this will take you to what appears to be the web site of your online banking. Some of these fake web sites are very good replicas and many people get taken in and log into them as they would to their banking sites, giving their card number and password.
They are recording your bankcard number and password for online banking. Shortly afterwards, the phisher logs into your bank as you and transfers your money into another account. Or, if the message claimed to be from Amazon, for example, they may use your account to order a large number of books or DVDs that they receive and you get billed for.
As insidious as this may sound, you can easily prevent this from occurring. The first step is to never click on a link in an email message. If you receive one of these messages and are unsure if it’s real, open a new window in your web browser and log into the site from it, rather than through the email itself. This way you know what site you are logging into.
Here is a second trick: when your banking web page loads, look in the address bar at the web site address.
There are two hints in the address that should tell you if you are at your bank site or a fake. Here is the beginning of the address that should show if you are logged into one of the Canadian chartered bank sites:
The first hint is the protocol, which shows up as “https://” and means “secure site.” Some fakes will use a secure server, so this is not a guarantee in itself. However, if it only says “http://” it is not your bank website.
Those two easy steps should prevent any phishing attempt from succeeding. As a note, phishing is often done on other sites, such as Facebook or Twitter. It’s good practice to check the address box of any site involving a log-in with user name and password to see that it’s not a fake. Facebook and Twitter do not necessarily use the secure https protocol, but the address box should show you logging into facebook.com, twitter.com, amazon.ca, etc.
A quick look before logging in can save you a great deal of money and grief.
Doug Rutherford teaches computer networking and security for Yukon College and three post-secondary educational institutions in British Columbia.