Phishing

What is phishing?

Phishing (pronounced “fishing”) refers to stealing people’s passwords by tricking them, using a fake website that mimics a legitimate one. Phishing often takes place via email, with the sender pretending to be a well known person or company. Phishing messages typically invoke a sense of urgency or panic, and compel readers to take immediate action.

How does phishing work?

A phisher will set up a website that looks like the login page of a legitimate site. They then try to get people to go to their site, in the hopes that people will enter their usernames and passwords for the “real” (or impersonated) site.

Whenever a user enters a password on the phishing site, the site records it, and then redirects the user to the legitimate site so that they won’t know anything is amiss. The phisher can then use or sell the stolen passwords.

Note that these faked sites can have varying degrees of quality. In some cases they’ll look visually very different from the original, and be obvious forgeries. In other cases the fake version will be almost indistinguishable from the real thing.

How do phishers get people onto their sites?

One common method is for phishers to send out emails or text messages that look as if they come from a legitimate source. These messages include a link to the phishing site, and try to entice or pressure the user into clicking. They may use language that implies some urgency, such as by saying “Your account will be deleted unless you click here to log in right away!” They may also offer a reward, such as: “You’ve won $1000! Click here to claim your prize!”

Another phishing tactic is “typosquatting.” In this case a phisher will buy a domain name that’s similar to the URL of the legitimate site they’re mimicking, and set up a phishing site to catch users who mistype the legitimate site’s URL. To prevent this, many major companies will buy up lots of domain names similar to their primary one (for example, Google owns “googel.com”).

How do I protect myself from phishing?

There are a few things you can do to protect yourself against phishing:

• Enable Safe Browsing in your Web browser. All major browsers support this feature, which can warn you if you’re about to visit a known phishing site.
• Any time you’re about to log in to a website, or enter any important information, look carefully at the website address in the URL, and make sure it’s what you expect it to be.
• If you suspect your password for a site has been phished, change your password on that site immediately, as well as on any other sites where you use the same password. Ideally, though, you should use a different password for every site, which limits the damage if one of them gets phished. Use a password manager to securely store all your passwords, and to generate random, unique passwords for every account and website you access.
• It’s a good idea to enable two-factor authentication (2FA), or multi-factor authentication, on every account that supports it. This won’t prevent you from getting phished, but it will limit the damage if you do get phished: Even if a phisher gets your password, they won’t have your second factor (generally a unique, one-time numeric code that’s also required before you can gain access to your account on a site or app).