Friday 5 December 2008

The Anatomy of a Phishing Scam

We've been suffering from a plethora of phishing scams over the last few weeks at LSE. To put this into context, Messagelabs stop in excess of 250,000 spam e-mails from arriving at our mailboxes every week, which represents 25% of the total (1,108,000). So, when one does get through, it is a bit unusual. In the main, these don't cause a lot of disruption as most people are conditioned to ignore them. However, there's always someone who does reply and the IT department spends quite a bit of time clearing up the aftermath.

So, here is my one top tip to not getting caught:

Never, ever send your password to anyone by e-mail.

It's quite simple. No-one should ever ask you to disclose your password by e-mail and you should never, under any circumstances, give it to anyone.

What happens if you do

Here at LSE, we have a set of Conditions of Use for IT Facilities which clearly state that you shouldn't do this. Most organisations with an information security policy say the same thing. Generally, you can expect your account to be suspended as a minimum.

However, that's not all. Scammers will use the details that they have gained to abuse the account they have access to steal information and, most likely, send spam out from the account. This means that the account gets blacklisted. Which is a pain.

Phishing for Bank Details

This is obviously a subset of a much wider attempt to con people into handing out personal detail, either directly or trying to convince them that they are on a legitimate site. Many people have received e-mails, purportedly from their bank, asking them to log in by clicking a link in the e-mail and filling in all of their authentication information.

There is a simple way to avoid being duped by one of these e-mails. Never click on the links in the e-mail: always go directly to your bank by manually typing their website address in the address box of your browser.

Browser defences

On top of this, many web browsers now (or will soon) incorporate anti-phishing tools. For example, Mozilla Firefox has a feature that, if turned on, automatically blocks access to known phishing site.

If in doubt, don't click. And another tip: don't reply to these scam e-mails with some sarcastic comment: it only confirms your address and you'll end up getting more spam.

No comments: