Phishing emails

By | September 5, 2007

Are you a target of phishing email on a daily basis? Of late, I noticed a rise in phishing emails to my mail inboxes, and I wonder how many people worldwide are affected on a daily basis. Previously far and few, nowadays, they are getting more frequent.

Typically, phishers use cleverly planted subdomains to generate a temporary URL which would get temporarily get through the phishing databases maintained by the major browsers. Before they’re found out, they move on. Would this make the anti phishing filters redundant?

Here’s an example of a phishing email, the kind which I get rather frequently.


Clicking the links generates a phishing site warning from Firefox.

Actually, most phishing sites would not get past the anti phishing databases of the major browsers. All the major Web browsers (IE, Firefox, Opera, etc) have constantly updated anti phishing databases, which have one major weakness – Any phisher can easily compare his phishing site against the database, and throw up another when the current one “expires.”

Phishers target anything and everything. Recently, there was a Gmail phishing scam that tried to steal your Gmail password. What will they think of next?

The best defense is still user education – on how to detect phishing sites or emails, and not any amount of anti phishing software or any kind of “constantly updated database.” Phishing emails and sites usually contain traits like:

  • Urgent nature of the messages, requiring prompt action to resolve.
  • Penalties for not complying, which increases urgency.
  • Hyperlinks that do not link to the actual website being referred to. Mousing over a URL in a phishing email will reveal that the URL is not the actual URL, usually a temporary subdomain.
  • Doesn’t address you by name – not a foolproof way to detect a phishing email though.
  • Phishing sites usually don’t have SSL or unverifiable security certificates – There is usually no “https://” whereas all secure sites have it.

You can’t win the war against phishing, let alone spam. For every foil, there is an exploit. For email phishing, just remember the golden rule and you’ll be pretty safe – “Never give out any password when asked in an email.”

Share This: