Just the Facts: phishing


WHAT IS PHISHING? Phishing is the use of deceptive e-mails to evade security measures and steal private information that can be used to commit fraud or theft.

The most common phishing technique involves the use of a fraudulent or manipulated e-mail to entice victims to visit a malicious Web site that claims to be authentic. For example, U.S. Army Europe computer users have recently been the target of phishing attempts that used falsified e-mails that claimed to originate from Army Knowledge Online and asked them to divulge their AKO account login and password information.

HOW DOES PHISHING WORK? Experts say that like “fishing,” a phishing e-mail attack uses a lure, hook and catch to snare victims. The lure is something used to entice or encourage the recipient to provide confidential information. The hook is an authentic-looking request for information. And the catch is when the sender uses a victim’s information to conduct illegal transactions.

Often, the lure will encourage the recipient to follow a link that will take them to what appears to be a legitimate Web site. This belief that the e-mails, and the sites they lead to, are authentic is the primary reason phishing attacks continue to succeed, experts say. But in phishing attacks, the e-mails and sites are not authentic — both are frauds that mimic the look and feel of the legitimate versions.

WHAT IS SPEAR PHISHING? Spear phishing is the name for phishing attacks aimed at a specific group of people. The attacker sends an e-mail to several people in the same group or organization, and the e-mail often looks as if it was sent by another legitimate member of the group.

WHAT ARE PHISHERS AFTER?  Phishing e-mails are usually attempts to gather passwords, PINs, credit card validation codes, or ATM, bank account, debit card, credit card or social security numbers. Department of Defense information assurance experts say spear phishers are usually trying to commit financial fraud. Phishing can be used by terrorists, nations or military forces to steal credentials and create “backdoors” into networks that allow them to gather military intelligence, conduct espionage and information warfare, alter information, and disrupt systems during important events. This can be true even with unclassified networks and takes advantage of users’ trust, complacency or lack of
knowledge.

DON’T BECOME A VICTIM! Information assurance experts offer several suggestions:

» Digitally signing e-mails to ensure their integrity is a good practice in general, but particularly vital for messages that ask a user to provide personal or sensitive information. Avoid opening or answering any e-mail asking for personal, sensitive or other critical information unless the message has been authenticated.

» Don’t click on links in unsolicited e-mails, especially those asking for personal or sensitive information. Even if you do not supply the requested information, just clicking on a link may enable the sender to access your computer, record keystrokes and capture passwords.

» Never call telephone numbers listed in suspicious e-mails.

» Go directly to Web sites by typing a site’s address into your browser and then bookmarking it.

» When possible, set up a login “cookie” that helps a site to remember your user ID. That way, when you return to the site to sign on, your user ID will appear in the site’s sign-in box — something a phishing sites can’t do. One exception: never set up a login cookie on a public or shared computer.

» Create a different, hard-to-guess  password for each account you access. Use at least six characters and a mix of letters and numbers.
For more information and resources on information assurance, force protection and operational security, visit the U.S. Army Europe “Vigilance” Web page at www.hqusareur.army.mil/vigilance.

(Courtesy of U.S. Army Europe)