16 07 2012
Phishing Has Nothing To Do With Phish
What is Phishing?
Phishing, contrary to popular belief, is not the practice of following the alternative rock band Phish around, the way that people once followed the Grateful Dead. Phishing is a scam that involves the process of sending an email to potential victims, to try to get sensitive information from that person. The scammer hopes to get bank or Paypal information to steal money directly from that victim, or to get passwords and other sensitive information from the victim in order to use that victim’s identity to scam other people. Phishing is most effective when the scam artist poses as an entity that is familiar to the victim. This is most often accomplished by spoofing a company like Bank of America, Paypal, eBay, uBid, or some other auction or financial services Web site.
Spoofing is the process of pretending to be someone else. For instance, as a joke, someone created a site for French Military Victories, which looks like a Google page. Anyone who gets to that site through Google may be fooled into believing that their search yielded no results, until they look closer and see that it was a joke.
Similarly, a scam artist may spoof the look and feel of a particular company’s Web site and email. They may spoof the email address so that, at first glance, it appears to come from a reputable source, and directs the victim to a Web site where information can be collected. Even the process is a form of spoofing, as many of these financial and auction Web sites ask users to update their information on a fairly regular basis.
Once the phishing victim goes to the Web site and provides username, password, or banking information, the phishing scammer is able to use that information to the detriment of the victim. Often, people do not become aware that they were the victims of a phishing scam until all traces of the phishing scammer are long gone.
This phishing scam is a new spin on an old trick. Back in the day, when my friends and I were just getting into hacking, some of us used to do what was called phone phreaking. This ranged from making blue and black boxes, recordings of dial tones and money tones, to get free telephone calls, to calling the phone company to ask questions so that we could use that information in the future to get the telephone operators to do things for us. This usually involved pretending to be, or to know someone, who worked for the local phone company. The more information you already had, the easier it was to get the operator to do things for you, like connect pay phone calls for free or get information about certain telephone numbers.
When we graduated to computer hacking, some of my friends would call a place that they wanted to hack posing as someone in the IT department. We might say that we needed help fixing a problem, and needed the user to type in a few commands. We could easily get modem telephone numbers, usernames, passwords, and IP addresses.
This was called social engineering. The better you were at social engineering, the quicker you could compromise a system, gaining access to all the goodies. While I never became an elite hacker, I was pretty good at using the gift of gab to get info out of people. I have developed that skill into something useful, but I never scammed anyone out of any money by phishing for information.
It all boils down to a confidence scam. However, you can outsmart these phishing scammers. Type in the domain name of the place that you got an email from, rather than clicking the link. You can call the company that you were emailed by, if you are still unsure. Identity theft is a huge issue that is becoming more and more prevalent. As consumer confidence increases, we will see more and more of these scams, and similar vacation and travel prize scams. Keep your eyes peeled and your wits about you, and you can protect yourself from these and other online scams.