Phishing and Pharming: AwardTechnologies -Computer Consultants, Columbus, Ohio

Phishing and pharming 101: Protect your identity

Using a variety of nefarious methods, phishing and pharming are a consistent problem that threatens
everyone with identity theft. If you recognize what these methods are and how malicious users employ
them, you can keep yourself from becoming a victim.

A quick review
Phishing involves sending an e-mail that claims to be a legitimate business in an attempt to scam the user
into surrendering private information. Pharming involves the same goals with a different method; malicious
users employ spyware, keyloggers, domain spoofing, domain hijacking, or domain cache poisoning to
obtain personal or private (usually financial) information.
To put it bluntly, criminals try to steal your identity by getting you to divulge financial data such as credit
card numbers, account usernames, passwords, and social security numbers. They sell this information,
and it then becomes an identity theft crime.

Recognize the methods
The primary method for this crime is to send e-mails that look like valid correspondence coming from a
bank asking users to click the link provided and log into their account for some type of important
information. But your bank and other institutions where you do business don’t work this way. They may
send you an e-mail and ask you to review or verify information. However, they don’t send links to a Web
site. You already do business with them, and they know you don’t need the link to the Web site.
If you click that link, one of two things is going to occur. It could download spyware onto your computer,
which will then capture your personal information and send it to the criminals. Or, the link will direct you to
a Web site that looks and feels like the site you expected — but it’s actually just a front to collect your login
information to help the criminals harvest your personal information.

Fight back
To protect yourself and your users against phishing and pharming schemes, here are four rules to live by:
* Rule 1: Stop clicking links in e-mails that direct you to your bank or a financial institution. Stop filling
out forms sent to you by your bank or financial institution. If you want to visit the site to see if you need to
confirm/update/verify your account, open up a browser and type the link or retrieve it from your favorites.
* Rule 2: If you suspect an e-mail is part of a phishing scheme, report it. Report it to the financial
institution, the FTC, and the Internet Crime Complaint Center.
* Rule 3: Update your browser, your antivirus software, and any other security software. The latest
versions of such software have phishing filters that detect attempts and warn you if it suspects you’ve
surfed to a site that isn’t legitimate.
* Rule 4: Stop using public computers to access private information. Internet kiosks at hotels and other
business are convenient but often have Trojans and keyloggers installed that collect and transmit your
information to the criminals. Access personal and financial information only from a computer you trust to
be free from these evils.

Final thoughts
Criminals have learned that they don’t need to pull a gun on you to get your wallet or purse. They’re using
the Internet to steal everything in your accounts — and your good credit too. Take a few simple steps to
stop them, and don’t become an identity theft statistic.

Mike Mullins has served as an assistant network administrator and a network security administrator for the
U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of
operations for the Southern Theater Network Operations and Security Center.