University of Alabama at Birmingham
Information Technology
    IT Home   UAB Home  
 

Search IT!   
  
Data Security
 Overview of Data Security
 Data Custodian Responsibilities
 Incident Handling Procedures
 Drive Wiping Procedures
 Cyber Security
 PGP Whole Disk Encryption

Cyber Security -
What is Phishing & How Can I Avoid It?

phishing
Phishing Explained

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g. your university, your Internet Service Provider, your bank).  These messages usually direct you to a spoofed web site and ask you for private information (e.g. password, credit card, or other account updates).  The perpetrators then use this private information to commit identity theft.

An example of a phishing attempt is an email message stating that you are receiving it due to fraudulent activity on your account, and asking you to “click here” to verify your information.  For more examples, see:

http://www.antiphishing.org/phishing_archive.html

How to Avoid Phishing Scams

To avoid these scams, never click the links provided within these types of email messages.

If you feel the message may be legitimate, go directly to the company’s web site (i.e. type the real URL into your browser) or contact the company to see if you rally do need to take the action described in the email message.  Alternatively, copy and paste the URL from the message into your browser rather than clicking it.  Delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the web sites it points to.

Always read your email as plain text.  Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URL's that any images point to.  Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client’s ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

Warnings

Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won’t avoid them all.  Some legitimate sites use redirect scripts that don’t check the redirect location.  Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.

Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to product URL's that look remarkably like authentic ones.  For more, see:

http://db.tidbits.com/article/07983

Report Phishing Attempts

You can report these phishing scam attempts to the company that’s being spoofed or the Federal Trade Commission:
https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01

The UAB Data Security Office is also available:
datasecurity@uab.edu
www.uab.edu/it/datasecurity

spyware passwords worms attachments
Click images for more articles.

Security Awareness • UAB • UAB IT • Data Security • External Links

Special thanks to Indiana University for the use of their images & content.
UAB Home | IT Home | Legal | Privacy Statement | Disclaimer | Contact Us
© 2004 - The University of Alabama at Birmingham - All Rights Reserved
This file was last updated on: Thursday, 13-Dec-2007 15:19:08 CST