What Are Phishing Scams And How Can I Avoid Them?

On this page:

  • Phishing explained
  • Specific types of phishing
  • Avoiding phishing scams
  • Warnings
  • Reporting phishing attempts
  • Example of a phishing scam

Phishing explained

Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed web site or otherwise get you to divulge private information (e.g., password, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.

One type of phishing attempt is an email message stating that you are receiving it due to fraudulent activity on your account, and asking you to “click here” to verify your information.

Phishing scams are crude social engineering tools designed to induce panic in the reader. These scams attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

Specific types of phishing

Phishing scams vary widely in terms of their complexity, the quality of the forgery, and the attacker’s objective. Several distinct types of phishing have emerged.

Spear phishing

Phishing attacks directed at specific individuals, roles, or organizations are referred to as “spear phishing”. Since these attacks are so pointed, attackers may go to great lengths to gather specific personal or institutional information in the hope of making the attack more believable and increasing the likelihood of its success.

The best defense against spear phishing is to carefully, securely discard information (i.e., using a cross-cut shredder) that could be used in such an attack. Further, be aware of data that may be relatively easily obtainable (e.g., your title at work, your favorite places, or where you bank), and think before acting on seemingly random requests via email or phone.

Whaling

The term “whaling” is used to describe phishing attacks (usually spear phishing) directed specifically at executive officers or other high-profile targets within a business, government, or other organization.

Avoiding phishing scams

Reputable organizations will never use email to request that you reply with your password, Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a web site or by replying to the message itself. Never reply to or click the links in a message. If you think the message may be legitimate, go directly to the company’s web site (i.e., type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.

When you recognize a phishing message, delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the web sites it points to.

Always read your email as plain text.

For help, see Microsoft Support.

Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client’s ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

Warnings

Reading email as plain text is a general best practice that, while avoiding some phishing attempts, won’t avoid them all. Some legitimate sites use redirect scripts that don’t check the redirects. Consequently, phishing perpetrators can use these scripts to redirect from legitimate sites to their fake sites.

Another tactic is to use a homograph attack, which, due to International Domain Name (IDN) support in modern browsers, allows attackers to use different language character sets to produce URLs that look remarkably like the authentic ones. See Don’t Trust Your Eyes or URLs.

Reporting phishing attempts

For more about phishing scams, see Phishing.

Subscribe to get new posts in your mailbox.

Share

Encryption Explained

From WikiPedia: encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

While the process of encrypting information is nothing new, encryption technologies are a hot topic in IT recently — with good reason. This article hopes to explain the various types of encryption as used regularly by IT pros.

At rest vs. in transit

Data can be encrypted two ways: at rest and in transit.

At rest

Refers to data storage — either in a database, on a disk, or on some other form of media.

Examples of at rest encryption

In transit

Refers to data which is encrypted as it traverses a network — including via web applications, smart phone apps, chats, etc. In-transit basically refers to the point at which the data leaves the storage drive or database until it’s re-saved or delivered to its destination. Protecting information in transit essentially ensures protection from others attempting to snoop or eavesdrop on information as it traverses the network.

Examples of in transit encryption

Please note: employing these two types of encryption safeguards must occur in tandem; it’s not automatic. Data encrypted at rest does not guarantee it remains encrypted as it traverses a network. Conversely, data encrypted “over the wire” does not offer any safeguard that the content remains encrypted after it has reached its destination.

Encryption methods and protocols

The actual process and algorithms by which encryption technologies and software use differ. The current standard specification for encrypting electronic data is the Advanced Encryption Standard (AES). Almost all known attacks against AES’ underlying algorithm are computationally infeasible — in part due to lengthier key sizes (128, 192, or 256 bits). If this argument sounds familiar, see: Passwords and Passphrases.

Symmetric vs. asymmetric key algorithms

Symmetric key algorithms use related, often identical keys to both encrypt and then decrypt information. In practice, this is known mostly as a shared secret — between two or more parties.

Asymmetric key algorithms, however, use different keys to encrypt and decrypt information; one key encrypts (or locks) while the other decrypts (or unlocks). In practice, this is known mostly as a public/private key; the public key can be shared openly, the private key should not. In most cryptographic systems, it is extremely difficult to determine the private key values based on the public key.

How this encryption works

Using public/private keys, the lock/unlock algorithm can go two ways. Alice can encrypt some bit of information with Bob’s public key, and then send it to Bob. Only the holder of Bob’s private key should be able to decrypt and read the message. Conversely, Alice could encrypt some bit of information with her own private key — and while anyone else in the world could read the message, they would have to use Alice’s public key to do so, meaning that the message must have come from Alice.

Common technologies that rely on public key cryptography include TLS/SSL and PGP.

Read more about public key cryptography.

Subscribe to get new posts in your mailbox.

Share

Passphrase Vaulting

Not so long ago, if you needed money from the bank you walked inside and interacted with a teller. Eventually, you got to know the bank teller, and proving who you were was rather easy. Then, banks realized that customers were willing to accept less personal interaction with a teller in exchange for the 24-hour convenience of an ATM. With an ATM, there are two elements of security: you need both an ATM card (that is, something you have) and a PIN number (something you know) to access your account.

The internet made things even easier: you no longer have to drive around to find an ATM; instead, the bank has a website that customers can use from anywhere in the world via a web browser. The problem with this system is that the only thing protecting your account on the web is the passphrase you have selected (something you know). When the only thing required to access your bank account is something you know, anyone else who knows your passphrase can access your account. Some banks and companies offer two-factor authentication services using text messages or a token device that can also assist in protecting your accounts.

Faced with this security problem, you might think about just selecting a really long and complicated passphrase. That is a great solution when you have only one passphrase to remember, but consider all the other accounts you access online: your credit union, your retirement account website, Hotmail, Facebook, the lawn service, the newspaper, the gas company, the electric company, etc. Before you know it, you have over a dozen unique, difficult-to-remember passphrases.

How do most people cope with this problem? One method is to use the same passphrase everywhere. However, the problem with this is that if any one of the places where you use the passphrase is compromised, or if you use the passphrase on a compromised computer with a keystroke logger, you have just given an attacker the passphrase to all of your online accounts.

Another common method is to write all the passphrases down on a piece of paper. All too often this is a sticky note attached to the monitor of the computer or left under the keyboard. Even worse, frequently these notes do not just contain the passphrases, but also usernames and even the associated services. Anybody that finds the paper gets a list of all your important accounts and how to access them. Variations on this method, such as only writing down clues to help you remember what passphrase you need are sometimes successful, but these successes are the exception to the rule.

So, since you probably cannot remember all of your passphrases (the most secure option), and you should not repeat them or write them all down (the most convenient options), what can you do? Balance the need for security and convenience by storing your passphrases in a secure manner. Fortunately, numerous programs exist to do this for you. They are known as passphrase vaults.

Passphrase Vaults

A passphrase vault is a program that balances the security of multiple passphrases with the convenience of recording them. You create a single strong passphrase to protect the passphrase vault, and then the vault program takes care of securely storing the rest of your hard-to-remember passphrases. Think of a passphrase vault as being similar to a bank vault; only with the vault combination (passphrase) can you unlock the protected items inside (other passphrases).

Passphrase Vault Best Practices

Protect the passphrase vault with a strong passphrase.

A good passphrase vault is encrypted with a passphrase of your choosing. Since the passphrase keeping program stores passphrases using reversible encryption, if an attacker is somehow able to obtain the raw password vault file, your password vault passphrase is the only thing stopping her from decrypting the contents of the file.

Use a passphrase to protect the password vault that is different from any of the passphrases stored inside the vault.

All of the passphrases in the passphrase vault can be displayed on the screen for the user or placed in memory (as clear text) for the computer. The only passphrase that is not stored this way is the one used to protect the passphrase vault itself.

If a passphrase used for a particular web site is compromised, this prevents the malicious person from using that passphrase to gain access to the rest of the passphrases in the vault.

Protect the password vault file.

Simply put, the passphrases must be saved in a file somewhere. Place the passphrase vault file on a small USB drive (e.g., thumbdrive, mp3 player, or iPod) that you always keep with you. Storing this vault file on a system other than your computer’s hard drive adds an additional layer of complexity; many viruses (and other forms of malicious software) just search the hard drive or the logical drive of the Operating System and do not look for other drives).

Also pay attention to where any temporary files are stored. If your passphrases are stored in a clear text file on the hard drive while the passphrase vault is in use, that temporary file may leave traces behind that an attacker would be able to find.

Clear the clipboard.

Some programs will copy your passphrase into the clipboard and allow you to simply paste it into a form. This can be incredibly convenient, but the passphrase is stored in the clipboard as clear text. Therefore, you need to be sure that the passphrase is removed from the clipboard as soon as it is used.

Never leave your computer logged in and unattended.

Again, because passphrases are stored using reversible encryption, if your vault is unlocked anyone can sit down at your computer and read or write down your passphrases. This makes logging off or locking your computer when you step away critical. In less than the time it takes you to walk to the restroom and back, a malicious person can find and export your password vault passphrases.

Select a vault program that works with all your platforms.

Increasingly mobile computing devices (tablets, smart phones, etc) are being used for day-to-day tasks such as shopping or banking. Storing passwords on these devices unencrypted exposes you to additional risk as they are more likely to be lost or stolen then a desktop computer. Many passphrase vault applications offer mobile versions that work with various platforms.

Passphrase Vault Programs

Personal Use:

Enterprise:

Subscribe to get new posts in your mailbox.

Share