I often receive phishing emails, mostly claiming to be from PayPal, ICICI or similar sites where money involved. Yesterday, I received an email claiming to be from PayPal. Of course, I didn’t fall for it, but it looked so genuine that I thought about sharing few simple rules which I follow for my own safety.
Rule 0: Be Skeptical
Please remember, your credit-card and other banking information such as login ID, passwords, ATM PIN, etc are very sensitive data. So always be skeptical when someone ask them to enter it.
Don’t look at why they are asking your data, just care about what data they are asking!
Rule 1: Always Look at Link URL before Clicking
Thanks to HTML, any text can point to any website. Ex: Britney Spears Naked. Don’t shout me if you led to Vatican Site… 😉
Ok now how to look at the link URL before clicking it?
Most standard browsers show actual link URL in status bar when you point your mouse to the linked text.
As shown below, if you just point your mouse to Get Verified text, you can see a link not pointing to paypal.com.
Make this URL checking part of your habit as this will save you from lots of troubles in future.
One more example I would like to share is: http://www.yahoo.com. If you noticed it, its pointing to Microsoft’s website. Yes, text which looks like URL itself, can point to any other URL in background!
Rule 2: Check Email Headers for Actual Sender
Most people don’t know that FROM field in emails can be changed by sender. I can send you email from [email protected]. The technique is called email forging and is used in almost all phishing emails.
So how to check if email you received is not forged? Most trusted method is to check email headers. But email headers are quite long and complex, so checking them manually is pain. Also technique differs slightly for each email service providers.
I use Gmail and on Gmail things are always easy. So whenever you receive a mail on Gmail, look for show details option.
When you click on it, first line will be expanded and you will see a mailed-by line as shown below…
Now this is quite different compare to paypal.com. Moreover a signed-by line is completely missing! Emails by large organizations also have a signed-by line which protect them against misuse of their domain name. Now have a look at a genuine email from PayPal…
If you are on Gmail, use can use this show details option to verify sender of email. I don’t know about its counterpart on Yahoo or Hotmail, but if you know it, please share.
Rule 3: Use Google Toolbar or any other anti-phishing technique/filter
Yes, Google Toolbar is not just for making your life easier while using Googles’ services. It comes with built-in anti-phishing filters which warns you whenever you open malicious sites.
Following is screenshot of Google Toolbar warning when I opened site pointed by Get Verified text as discussed in Rule 1.
Google Toolbar gave me almost 100% protection against phishing sites. Still if you just don’t like Google Toolbar, you can still use Google search to find a good anti-phishing filter for free! 🙂
Rule 4: Use a secure browser like Firefox
All major services authenticate users over secure channels. Even services which uses unsecure channels normally, process login pages via secure channels. Some famous examples, Gmail, Facebook, Orkut, Yahoo. While banking sites are normally use secure channels through-out the session.
A small difference between secure and unsecure channels is, secure URL stats HTTPS while unsecure starts with HTTP. Note the missing ‘S’. (Read more on HTTPS)
Now when you encounter a genuine login page in browser like Firefox, you can note following changes…
- Navigation bar background changes to yellow. Also a lock icon is shown indicating a secure site. Here you should also check domain name, which we often overlook.
- Status bar also shows lock icon along with domain name for which digital certificate is issued.
These two things can not be forged so look at them whenever in doubt.
Rule 5: Report Phishing…
Great you saved your ass. Its time to save others’ now… 😉
Gmail users can simply use Report Phishing option as shown below.
Rest if you have free time and energy, you can report phishing to authorities.
This rule is important as anti-phishing filters uses sites user report as phishing. So more you contribute, better security we all get… 🙂
Remember, phishing is a serious crime and creating a phishing site can easily put you behind the bars. On the other hand, if you become victim of phishing somehow, you can not sue your bank or service provider for compensation. They have made it clear in their terms of service (ToS) which nobody reads!
Its your responsibility to fight for yourself. Others at the most can help you. Don’t expect more! 🙂
More info: Wikipedia | Howstuffworks
(Photo Credit: http://www.thesecryption.com/)
14 Comments
* Rule 3 missing.
* In Yahoo! mail beta, you have to right click on mail’s subject and click View Full Headers. It will show you all details including the ip, smtp, domain keys, digital signature… One thing is that you need to know how to check them. Anyway, newbies may check the digital signatures. If can be seen directly without viewing the headers.
* One more advisable thing is to go with McAfee Site Advisor.
@pavan
Thanks pavan for correction and McAfee Site Advisor 🙂
Another anti-phishing tip – use online tools that secure your sensitive data, such as passwords.
I work for Passpack which is an online password manager and the only one with anti-phishing:
http://passpack.wordpress.com/2007/02/17/anti-phishing-welcome-message/
So all your passwords are secured in a sort of online vault which only you can access and with 1Click Login, you can be sure that you are logging into your chosen site correctly.
Hope it helps!
Louise
@Louise
Thanks for tip buddy. I will check it soon 🙂
Rule 4: Only accept TEXT Email Messages.
Email is such an insecure communication tool, I wonder when it will be replaced by something more secure.
@anonymous
Ya while designing SMTP (protocol for email) security was not taken into consideration. 🙁
While text mails ensure maximum security, its hard to switch to them due to multimedia contents we prefer mostly
Thanks a lot for those tips Rahul. I have been on the internet since I was 10 and I would have got thoousands of such stuff. Usually I just delete them. Sometimes, they look so genuine that they interest me.
So I go to they’re site and type juicy expletives in all text fields and I submit 😀
That ought to annoy them enough 😛
@Cicero
ya even I do sometimes put dirty things in user id n password fields on fake login pages 😉
@Rahul Bansal
No problem 😉
It has increased quite a lot. I am using MCAFEE they have a tool to detect the Phishing site so i hope i am safe.