Sorry, No Phishing Allowed (Hypertext Student Newsletter)

This story written by Michael Giardina, a junior in English & Creative Writing, was originally published in the Spring 2005 edition of the Hypertext quarterly student newsletter. Go to http://scg.ucdavis.edu/hypertext/2005spring.pdf to view a downloadable PDF of the entire newsletter.

Does your email inbox seem like an aquarium filled with perilous, poisonous phish? I bet the following looks awfully familiar: "We have determined someone logged into your Washington Mutual Account. Confirm your account info with us immediately or we will suspend your account." Lies! Yet, countless people have fallen victim to the con artists who design these well-crafted schemes; don't get hooked! If you learn to spot a scam, you can avoid spending untold hours undoing identity theft--hours better spent watching The Simpsons.

WHAT IS PHISHING?
The term "phishing," first coined by hackers in 1996, refers to the process by which scammers use email or other "lures," such as instant messages, to fish for personal information from unsuspecting computer users. This info includes bank account information, social security numbers, and other private info. America Online, eBay, PayPal, US Bank, and Washington Mutual are among the companies that have been targeted by phishers.

IDENTIFYING A PHISHING SCAM
You can avoid being reeled in by recognizing these common phishing characteristics:

Authentic-looking graphics
A Washington Mutual logo or graphic doesn't guarantee the request for personal information is legitimate. Mimicking Web graphics is an easy cut and paste job, so don't be fooled by a crafty designer.

Threatening tone
Phishing emails often include distressing statements like, "Your account will be closed unless you act immediately." Come on, now. Real companies want to keep your business. If you're worried, call the company and ask if the email is genuine.

Requests personal information
Most legitimate businesses will not ask you to provide information like passwords, account numbers, or PIN numbers via email or through a Web form. If a Web site asks for private information, be wary.

Misleading Links
These are tricky. Using a process called "masking," phishers create a link that appears to be from a legitimate site (e.g., paypal.com). However, when you click the link, you will notice the actual URL leads to a different address--a scam site with a URL like www.hax0rsPwNu.tk/paypal. To avoid "masked" links, open your Web browser and type the legitimate link yourself.

Spelling & grammatical errors
Emails with many grammatical or spelling errors are often scams; scammers will misspell words intentionally to avoid spam filters. Also, many of these phishing sites originate in countries other than the U.S. These phishers don't fully understand the spelling and grammar standards used by the businesses they're mimicking.

Message just doesn't seem right
"I see phishers; they're everywhere." Use your sixth sense to spot scams. If you feel uncomfortable or think a site might be asking for too much personal info, don't take the chance. Find an official business phone number and ask the company if the email is legit.

DON'T GET PHISHED ON THE WEB
Most phishers will direct you to a fake Web site, but there are a number of warning signs that will help you spot a phisher's site before disclosing private information:

Is the Web site secure?
Giant text that says SECURE doesn't mean a thing. Secure sites usually contain a small image of a locked padlock in the bottom right corner of the browser frame. Also, the URL for most secure sites starts with "https" instead of the unsecured "http."

Learn to read URLs.
Pop quiz: Is this a phish? http://www.visa.com /?rDirl=http://200.251.251.10/. The answer: "YES." The first part of the address appears to lead to Visa, a legitimate company. The last half of the link, however, redirects you to a different site. You can tell because the "http" appears twice.

Avoid sites that don't disclose their domain name.
When you see a URL containing an IP address--four sets of numbers separated by periods (e.g., 200.251.251.10)--you should be cautious. Most scammers mask their identity by giving numbers instead of a real domain name, such as "www.google.com."

Watch out for browser and rendering errors.
If you visit a site and are warned of browser or rendering errors, beware: legitimate businesses rarely make such coding mistakes.

Keep your computer up to date.
As vendors like Apple and Microsoft uncover scams, they release updated "patches" to fix vulnerabilities in their operating systems. Because phishing scams seem to be produced faster than allergies in a Davis spring, you should update your computer regularly. Many new operating systems will check for and download updates automatically.

SO YOU THINK YOU'VE BEEN SCAMMED?
If so, take action as quickly as possible. The proper procedures can be found at www.antiphishing.org/consumer_recs2.htm. You can also report fraudulent sites to the FBI's Internet Fraud Complaint Center. Click on "File a Complaint."

For examples of phishing scams, including an explanation of the tactics con artists use, visit security.ucdavis.edu/101_phishing.cfm. For more advice, visit the campus' "Ten Steps to Safe Computing" at security.ucdavis.edu/security101.cfm. Phishers are like Fugu fish; if you don't properly handle their venom, you??'re going to be writhing in misery, but th at's not likely to happen because now you know how to spot a phish out of water.