Phishing is the term used to describe the fraudulent use of email and websites to obtain personal information. Such documents are constructed to look very similar to those issued by well-known organizations such as banks, credit-card companies and retailers. Phishing has become increasingly widespread so email and web users should exercise extra caution when divulging personal information.
Here are three things you can do to avoid becoming 'caught' in a phishing scheme (Ref: OUCH: The Report On Identity Theft and Attacks On Computer Users, Volume 1, No. 9, September 8, 2004)
- DON'T open email attachments from anyone unless you know the
sender and you were expecting the attachment.
- DON'T click on links in emails or web sites unless you can
guarantee the email came from someone who is not trying to fool
you and that the web site is actually the site you think it is.
- DON'T disclose private information unless you initiated the need
to do so.
Here are some examples from the Anti-Phishing Working Group:
- Major bank identity/money theft example.
- Major bank fraud verification example.
Email and Website Identification
Point 2 above indicates the need to be able to assure oneself about the validity of the website or email that one is using. The following section provides some information.
The most common method used to provide authentication of a website is to use SSL. Secure Sockets Layer is a standard that employs cryptology to provide not only authentication, but privacy as well since data transfers between browser and website are encrypted. All businesses that conduct financial transactions over the Internet use SSL for these reasons. Since phishing involves the use or misuse of the 'authentication' component of SSL, it is important to learn ways of verifying the SSL information you are presented with.
Step 1 - Ensure that SSL is being used. The 'lock' symbol is the standard way for indicating that the current document was transferred to your browser using SSL.
Step 2 - Ensure that the 'certificate' presented by the website is for the website you intended. A certificate is an electronic security document created by the website and verified by a third party. The third party is called a 'Certificate Authority'. The maker of the browser 'trusts' a number of Certificate Authorities - trust meaning the browser makers are assured that the Certificate Authority uses reasonable effort to verify the website is authentic. Here's an example - we will look at the certificate presented by the TD Canada Trust Bank website: to view the certificate of the website, click on the 'lock'.
You can see the name of the website at the 'Issued to:' field. You must assure yourself at this point that this is the website you want to be using. Check the spelling to ensure that you are not accessing a site that 'looks' like the one you want. Now select the 'Certification Path' tab.
This report provides useful information - it tells you:
- the name of the website that the certificate is protecting
- the name of the Certificate Authority - in this case Verisign; a well-known organization.
There is no universally used method for authenticating or ensuring oneself about the origin of the email sender. Below are some suggested methods for verifying email origin.
S/MIME is a standard that employs cryptology to provide not only authentication but privacy as well. It is supported by major email clients such as Microsoft Outlook, Outlook Express, Netscape Messenger and Mozilla Thunderbird. It is similar to SSL except that a certificate is associated with an email address rather than a web server. Also, as with SSL, the Certificate Authority takes on the task of providing some assurance that the identity of the user who is issued an S/MIME certificate is verified.
PGP is a standard that provides similar functionality to S/MIME but is not as well supported in email clients as S/MIME and all user verification must be done by users alone.