Norton Article Library

Introduction

Statistics from the Anti-Phishing Working Group reflect a surge in phishing activity. By November of 2004, the number of reported phishing Web sites had risen to 1,518—a 29% increase over the previous month alone. Phishers are clever and unscrupulous, and in order to protect ourselves, we need to know how phishing works.

How phishing works

In a common scenario, phishers will send mass emails. The emails appear to come from a legitimate company, and often try to evoke an emotional response to a phony crisis. Usually a request for sensitive information is made, sometimes directing the recipient to a spoofed Web page. The Web page, like the email, appears authentic, and in some instances its URL has been masked so the Web address even looks real. Because the email and its corresponding Web page seem bona fide, the phishers hope at least a fraction of recipients are fooled into submitting their data.

Phishers are also beginning to use viruses to do their dirty work. These viruses monitor your Internet activities, and will spring into action when you visit a particular site, either diverting you to an impostor site or capturing your keystrokes. Without virus protection you may have no idea malicious code resides your hard drive.

How to avoid phishing scams

You don't need to become an expert to protect yourself. Caution and common sense will reduce your likelihood of becoming a phishing victim.

• Be wary of email asking for confidential information—especially of a financial nature. If you receive this kind of request, call to confirm the sender's identity and the validity of their request.
  
  
• Don't be pressured into divulging information. Phishers use scare tactics, employing urgent language to pressure you into submitting confidential data. They may threaten to disable an account or delay services until you update certain information. Contact the merchant who sent the email to confirm its authenticity.
  
  
• Watch out for generic-looking requests for information. Fraudulent emails are rarely personalized. Emails from your bank or ISP should directly address you or your account—confirm the authenticity of any suspicious request before responding.
  
  
• If a suspicious email contains a URL, don't click on it. Instead, navigate to the Web site by typing the URL directly into the address bar of your browser.
  
  
• Never submit confidential information via forms embedded within email messages. Instead, communicate that information over the phone or through a secure Web site.
  
  
• When submitting confidential information over the Internet, verify the site is secure. Just because the site's address begins with https doesn't necessarily mean the site is secure. Phishers may use URL masking techniques to mimic the secure address of an authentic company. Before submitting your information, confirm the URL's authenticity by clicking on your browser's "locked" symbol.
  
  
• Monitor your online accounts. Make sure all transactions are valid. If they aren't, contact your bank or credit card company immediately.
  
  
• Keep your browser and operating system up to date. Check regularly for patches and upgrades.
  
  
• Lock down your computer with protection tools. Norton Internet Security reduces your exposure to spam-based phishing scams and protects against viruses and other blended threats.
  
  

Conclusion

We all need to stay abreast of new phishing tactics and strategies. You also need to keep your security tools at the cutting edge. Check in regularly with Symantec Security Response to get the latest threat information and to keep your security components up to date.