Simple steps to avoid being phished

Anti-virus and spam management company, Sophos, has issued a number of guidelines that can be applied to prevent a phishing attack.

Brett Myroff, CEO of Sophos distributor, NetXactics, says that while it`s hard to imagine that anyone would fall prey to the blatantly fraudulent activity of phishing, the Anti-Phishing Working Group, an association focused on eliminating fraud and identity theft from phishing, pharming and e-mail spoofing, has indicated that phishers are able to convince up to 5% of recipients to respond.

"Phishing is an increasingly common type of spam that can lead to theft of personal details such as credit card numbers or online banking passwords. Scam artists basically send `spoofed` e-mails that appear to come from a legitimate Web site, typically those that you have online dealings with, such as a bank, credit card company or ISP - any site that requires users to have a personal identity or account. The e-mail may ask you to reply with your account details to `update security` or some other reason."

He adds that phishing e-mails may also direct you to a spoofed Web site or pop-up window resembling the real site, but has been set up for the sole purpose of stealing personal information. "Unsuspecting users are then often fooled into handing over credit card numbers, passwords or other details."

* Never respond to e-mails that request personal financial information.

Banks or e-commerce companies generally personalise e-mails, while phishers do not. Phishers often include false but sensational messages, such as `urgent - your account details may have been stolen`, in order to get an immediate reaction.

"Reputable companies don`t ask their customers for passwords or account details in an e-mail," says Myroff. "Even if you think the e-mail may be legitimate, don`t respond - contact the company by phone or by visiting their Web site. Also, be cautious about opening attachments and downloading files from e-mails, no matter who they are from."

* Visit bank Web sites by typing the URL into the address bar.

Phishers often use links within e-mails to direct their victims to a spoofed site, usually to a similar address, such as mybankonline.com instead of mybank.com. When clicked on, the URL shown in the address bar may look genuine, but there are several ways it can be faked, taking the user to the spoofed site.

"If you suspect an e-mail from your bank or online company is false, do not follow any links embedded in it," says Myroff.

* Keep a regular check on your accounts.

"Regularly log into your online accounts, and check your statements. If you see any suspicious transactions report them to your bank or credit card provider," he adds.

* Check that the Web site you are visiting is secure.

Before submitting bank details or other sensitive information there are a couple of checks that will help verify whether the site uses encryption to protect all personal data:

Check the Web address in the address bar. If the Web site is on a secure server it should start with "https://" ("s" for security) rather than the usual "http://".

Also look for a lock icon on the browser`s status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with your cursor.

"Note the fact that the Web site is using encryption doesn`t necessarily mean that it`s legitimate. It only tells you that data is being sent in encrypted form."

* Be cautious with e-mail and personal data.

Most banks have a security page on their Web site with information on carrying out safe transactions, as well as the usual advice relating to personal data: never let anyone know PIN numbers or passwords, do not write them down, and do not use the same password for all online accounts.

Myroff says further caution should be applied by not opening or replying to spam e-mails as this will confirm to the sender that they have reached a live address. "Use common sense when reading e-mails. If something seems implausible or too good to be true, then it probably is."

* Keep your computer secure.

Some phishing e-mails or other spam may contain software that can record information on Internet activities (spyware) or open a `backdoor` to allow hackers access to a computer (Trojans). Installing anti-virus software and keeping it up to date will help detect and disable malicious software, while anti-spam software will stop phishing e-mails before they can do damage.

It is also important, particularly for users with a broadband connection, to install a firewall. This will help keep the information secure while blocking communication from unwanted sources. "Make sure you keep up to date and download the latest security patches for your browser. If you don`t have any patches installed, visit your browser`s Web site," he says.

* Always report suspicious activity.

"If you receive an e-mail you suspect might not be genuine, forward it to the spoofed organisation. Many companies have a dedicated e-mail address for reporting such abuse."