What do you know about Phishing?

 Quite often I get an email warning me to verify my account as there's been suspicious activity associated with it.

Within the email there's usually at least one link that takes me to a log in page where I should type my user name and password and all will be well, seemingly.

Well, it's entirely likely that this type of email is a "phishing" email attempting to discover my name and password.

Once someone has a name and password, for example to an email account, they can monitor it and extract all sorts of useful information.

For example, when you forget a password you are requested to fill in some information and a message will be sent in return giving you your password, even user name and password.

I've seen examples where not only the password is given, but other data that you provided to verify who you are, such as "mother's maiden name", "best friend at school" etc.

So, buried in your emails is information such as this.

In fact, given your email address and your password kindly supplied as keystrokes in the phishing attempt the sender of the latter can even send emails from your account.

Today, I received an email from BT Yahoo.

The links within the email carried strange addresses, but on further investigation these proved to be genuine addresses said to belong to a partner of BT.

BT's website actually declares that the presence of these odd addresses will imply that the email is genuine and not a phishing email.

 

I don't believe that the email is genuine however.

Yes, the addresses look genuine, but let me explain how this can be misleading, and more importantly how one can identify an email as a phishing attempt.

In my case it was dead easy.

The give-away was the senders name.

Outlook provided the following...

BT Yahoo [gracem.richardson@talk21.com]

It seems this person has a virus or a Trojan Horse on their computer.

The virus has sent a fake email to anyone in their contacts folder, presumably including myself.

Next, if the link address looks genuine, surely no harm will come by opening the web page and logging on etc?

Consider this. A rogue has managed to find the password to the BT website. Not the BT site itself, but the website of their partner with the odd-sounding but genuine name.

A website is merely a collection of pages, much like Word documents, that are linked together. Entry is often via the index page, but not always.

For example, the BBC refers customers to their on-line content by adding a forward slash springwatch or whatever after the domain name.

Having hacked into BTs website the rogue can create a set of stand-alone new pages unlinked to existing pages.

These are accessed via the links included in the phishing email and can even include "real" BT pages.

Having hacked the BT website a real page can be downloaded, modified and put back within the spoof pages.

All the logos are genuine as are any pre-existing links etc. but any log in fields can be monitored by the rogue.

In summary, let BT contact you by letter. Do not rely on emails. That goes for ANY email you receive that is asking directly, or indirectly for information.

 

Included in my email box this month were phishing emails from Ebay, from PayPal (lots of these) and Facebook.

Which reminds me... I fell for the Facebook email and changed my password as an unauthorised person in Kentucky had logged into my account!!!

Oops... I'll change it again. This time via Facebook...

 

return home