Phishing and pharming 101: Protect your identity

Using a variety of nefarious methods, phishing and pharming are a consistent problem that threatens everyone with identity theft. If you recognize what these methods are and how malicious users employ them, you can keep yourself and your users from becoming a victim.

A quick review

Phishing involves sending an e-mail that claims to be a legitimate business in an attempt to scam the user into surrendering private information. Pharming involves the same goals with a different method; malicious users employ spyware, keyloggers, domain spoofing, domain hijacking, or domain cache poisoning to obtain personal or private (usually financial) information.

To put it bluntly, criminals try to steal your identity by getting you to divulge financial data such as credit card numbers, account usernames, passwords, and social security numbers. They sell this information, and it then becomes an identity theft crime.

Recognize the methods

The primary method for this crime is to send e-mails that look like valid correspondence coming from a bank asking users to click the link provided and log into their account for some type of important information. But your bank and other institutions where you do business don’t work this way. They may send you an e-mail and ask you to review or verify information. However, they don’t send links to a Web site. You already do business with them, and they know you don’t need the link to the Web site.

If you click that link, one of two things is going to occur. It could download spyware onto your computer, which will then capture your personal information and send it to the criminals. Or, the link will direct you to a Web site that looks and feels like the site you expected — but it’s actually just a front to collect your login information to help the criminals harvest your personal information.

Fight back

To protect yourself and your users against phishing and pharming schemes, here are four rules to live by:

• Rule 1: Stop clicking links in e-mails that direct you to your bank or a financial institution. Stop filling out forms sent to you by your bank or financial institution. If you want to visit the site to see if you need to confirm/update/verify your account, open up a browser and type the link or retrieve it from your favorites.
• Rule 2: If you suspect an e-mail is part of a phishing scheme, report it. Report it to the financial institution, the FTC, and the Internet Crime Complaint Center.
• Rule 3: Update your browser, your antivirus software, and any other security software. The latest versions of such software have phishing filters that detect attempts and warn you if it suspects you’ve surfed to a site that isn’t legitimate.
• Rule 4: Stop using public computers to access private information. Internet kiosks at hotels and other business are convenient but often have Trojans and keyloggers installed that collect and transmit your information to the criminals. Access personal and financial information only from a computer you trust to be free from these evils.

Final thoughts

Criminals have learned that they don’t need to pull a gun on you to get your wallet or purse. They’re using the Internet to steal everything in your accounts — and your good credit too. Take a few simple steps to stop them, and don’t become an identity theft statistic.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.