Jay Butler, Senior Support Consultant
Q: I’ve heard of “phishing”, but I’ve never heard of “puddle phishing”. Can you define both and explain the difference? Also, what can be done to stop it?
A: Phishing is an attempt to fraudulently acquire sensitive information (i.e., usernames, passwords, account numbers, social security numbers, credit card details, etc.) by criminals masquerading as a trustworthy source in an electronic communication.
A common phishing attack occurs via official looking emails that direct recipients to a fraudulent website posing as the legitimate one. The criminals specially craft the fake site to appear exactly like the real one. It can be difficult for novice users to detect the difference, so accessing websites via links in an email should be avoided.
Personal information should only be entered on secured websites that are accessed directly (opening Internet Explorer and typing the address manually), and NEVER put sensitive information in an email. It is also advisable to confirm website certificates by clicking the lock icon on the bottom of the browser window or in the area where the personal information is to be entered. The certificate should be from a known source such as VeriSign, Thawte, or Entrust; and, it should specify the actual business owner of the website.
Phishers have traditionally setup fake websites for larger businesses like Citibank or Bank of America. Recently, they have targeted community financial institutions assuming they do less to protect their customers. Because of the smaller targets, the term puddle phishing was coined by a security firm called Websense. To defend against these potential attacks like their larger competitors, community financial institutions should educate their customers and deploy dual-factor authentication for Internet banking. Here are some common ways to detect phishing in an email1 :
- A logo that looks distorted or stretched.
- An email that refers to you as “Dear Customer” or “Dear User” rather than including your actual name.
- An email that warns you that an account of yours will be shut down unless you reconfirm your billing information immediately.
- An email threatening legal action.
- An email which comes from an account similar, but different from, the one the company usually uses.
- An email that claims”Security Compromises” or “Security Threats” and requires immediate action.
As the information age continues to mature, people must learn how to identify social engineering scams, like phishing, to protect themselves and their employer. Computer users should never enter personal information solicited via an email request of any kind. Any email that asks for personal information should be discarded immediately, and telephone solicitations should be treated in the same manner.
1 WindowsSecurity.com, Brian Provost