Phishing involves using email and websites that impersonate the email and websites of organizations with which the target victim already has current dealings. The goal is to gather personal information in order to impersonate the target victim for unauthorized purposes.
The impersonating email (“phishing email” or “phish-mail”) lures target victims to an impersonating website (“phishing site” or “phish-site”). At the phishing site, target victims are asked to divulge confidential information, such as their account name or number, password, mailing address, birth date, credit card number, social security/insurance number, mother’s maiden name and so on.
The information obtained may be used to impersonate the victim while committing fraud, identity theft, theft of services, spamming, corporate espionage and other crimes.
- Conventional phishing involves sending mass amounts of impersonal phishing email. The small percentage of phishing email recipients who already deal with the organization being impersonated are the target victims.
- Targeted phishing (“spear-phishing”) involves sending the target victims personalized emails. At the phishing site, the target may even be greeted by name.
The inclusion of a few personal details in a targeted phishing email and on the targeted phishing site greatly increase the likelihood the target can be lured into divulging additional confidential information.
Here are a few ways you might recognize these messages:
- Be suspicious of any “urgent” requests, such as “we will terminate your account” or “your account will be deleted if you do not provide us with this information or take immediate action”.
- The fraudsters may ask you to provide your username and password or other personal information (e.g. Social Security/insurance number, bank account number, PIN number, credit card number, mother’s maiden name, or birthday). Even if they appear to be from a legitimate source, or contain an official-looking webpage, be careful. Spammers often ask for this information in an attempt to steal your personal information, your money, your credit, or your identity.
Here’s what you can do to protect yourself and stop these unscrupulous fraudsters:
- Check the email address of the sender of the message by hovering your mouse cursor over the sender’s name and verifying that what appears matches the sender’s name. Malicious actors often “spoof” the return address, making it look like the message came from someone else.
- Avoid filling out forms that appear in emails or or providing personal information through email, as security in email is low.
- If an email asks you to “click a link” to open your account, please be aware that this link might be taking you to a phishing site. If you are not 100% comfortable with the source of the email or URL (web address) contained in the email, DO NOT click on that URL. Instead, open a new web browser and go directly to the website to access your account.
- To avoid any attacks or unauthorized scripts (such as trojans) on your computer, as well as malware on your website, it is essential that you keep software up-to-date by installing software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems and software offer automatic patches. Hackers are looking for ways to get access to your personal information and will attempt to get it through known vulnerabilities.
- Check whether the email was authenticated by the sending domain. Click on the ‘show details’ link in the right hand corner of the email, and make sure the domain you see next to the ‘mailed-by’ or ‘signed-by’ lines matches the sender’s email address. If an email is being legitimately sent from HostPapa, it will come from a HostPapa domain name (for example firstname.lastname@example.org) or from HostPapa’s dedicated support domain email@example.com.
- Make sure the URL or website that is provided in the email is correct, and click on any images and links to verify that you are directed to proper pages within the website.
- Always look for the “closed lock” icon in the status bar at the bottom of your browser window whenever you enter any private information, including your password. Make sure that the URL is secure and starts with https:// before entering personal information. Double-click the padlock icon in the browser window frame. A security certificate will pop up. On the “General” tab of the certificate, verify that the domain and company name are what you expect.
- If you’re still uncertain, contact the organization from which the message appears to have be sent. Don’t use the reply address in the message, since it can be forged. Instead, visit the official website of the company in question, and find a different contact address or phone number.