Monday, April 1, 2019

Phishing, not Fishing

Wikipedia defines fishing as, "the activity of trying to catch a fish". However, Wikipedia additionally defines phishing as "the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication". Let's talk more about "phishing"...

What is Fishing
Fishing is a sporting activity where the participant tries to catch fish. We're not going to discuss this further at this time :-)

What is Phishing
Phishing is a cyber-crime. The cyber criminal's targets are typically contacted by email (although telephone or text message can be used) by posing as a legitimate institution. The goal is to lure individuals into being fooled into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. If the phishing attack is successful, it can have devastating results for the victims.

How a Phishing Scam can Work
An attacker sends out thousands of fraudulent messages in attempt to acquire significant information or large sums of money. The fraudulent messages are designed to look like real messages. It's essentially a numbers game. Even if only a small percentage of recipients fall for the scam, the reward can be plentiful.

As a made-up example... an attacker targets alumnus from a university asking for donations. The message will contain a logo from the university, include names of school programs and appear  to be sent from the alumni director, a dean or even the school president. They even use an email address that may look like the real email address. Then, then message will direct you to a phony website that looks like your university's website with logos and other information likely copied from the real website. While your university's real website address might be "", the phony website address might look like "". At first glance, some people will be fooled.

How to Protect Yourself from Phishing
Vigilance is important:
  • Keep your operating system, anti-spam and anti-malware programs current with all updates. This will help block some phishing attacks, or even block attacks trying to access your system via an automated means.
  • Phony messages contain subtle differences or mistakes. In addition to the website address difference as above, they may have a phony physical address, phony email address or even simple spelling mistakes.
  • Be wary of tight deadlines or even threats. If the message indicates you need to pay quickly, pay a fine or send cash, that might not be a legitimate message.
  • Such messages sometimes don't address you by name (e.g. Dear Sir/Madam). A legitimate message from an organization that knows you will likely address you personally.
  • When asked to pay online, make sure you are using a secure website. Secure websites start with "https", not "http" to encrypt the connection between the browser and server. A phishing website may not have the SSL configured.
Always make sure you know and trust the person or entity that sends you an email. By exercising a little caution and attentiveness, you can avoid the dangers and problems from a phishing attack.

Click here to contact me regarding this or any other blog post. Also, I welcome comments, which you can enter below.


  1. David, very good explanation of a very real crime. Thank you.

  2. Hi David, Your checklist is good. I also consider the sender's originating email address. They may have an address for you to click, containing the flaw you mention, but they often don't sync the sending address to that. If he says he's Chris Smith from Oxford Health and his sending email address reads, "", it gets blocked.


I encourage you to add your comment to this post...