Current News

10/29/12 - MSU security expert shares tips to prevent phishing scams

In every corner of the Internet, high-tech “phishers” are baiting their hooks, hoping to lure a prize catch: the account data and personal information of unsuspecting computer-users all across the country.

More than a simple invasion of privacy, these online scams have turned into a multimillion dollar industry that can wreak havoc on people’s finances and sense of personal security.

“The idea behind phishing is that an attacker will try to get you to enter your information into a decoy website that looks exactly like the legitimate one you are used to using,” said Wesley McGrew, a scientist at Mississippi State University’s Center for Cyber Security Research. “The decoy site will allow them to collect your username and password, and once they have that, they can access any personal or financial information you’ve stored on that account.”


Wesley McGrew

McGrew is what’s known in computing-circles as a “white hat hacker,” someone who breeches secure computer systems to identify weaknesses or threats before they can be exploited by criminals. But he says you don’t have to be a computer expert to thwart scammers, just a little cautious about what you click.

“If you receive an email directing you to log in to a site, that should be your first warning that you might be going to a phishing site,” McGrew said. “It’s important to be aware of how you arrive at a website and its always best to be suspicious if anything seems wrong or if your Web browser issues a warning.”

McGrew has several tips to help people recognize and avoid phishing attacks:

-- Never reply to an email that directly asks for username and password information

--Don’t follow links from an email to log in to a website. Type in the Web address and use the site directly.

--Before entering login information on a website, be sure that the Web address begins with “https” or that there is a lock icon in the address bar, which means information entered on the site will be encrypted during transmission.

To eliminate any remaining doubt about the legitimacy of a website, McGrew said users can click the lock icon to see the Web page’s security information and verify that the site is being operated by the organization it claims. He said contacting the website’s support staff is also a good idea to alleviate lingering concerns.

In 2011, Internet crimes netted a loss of more than $4.5 million, according to a report from the national Internet Crime Complaint Center. FBI-related and identity theft scams, which commonly involve phishing, were the most common of the more than 314,000 crimes reported to the center last year.

McGrew said quick action from Internet-users can help rescue a compromised account before it becomes a crime statistic.

“If you think your account is being phished, your first step should be to contact the company or organization that host the targeted account,” McGrew said. That could be a retail business, social media outlet or an email service.

If information was entered into the false website, McGrew said users should:

--Immediately change the password

--Monitor the account for unauthorized activity

--Change the password for any accounts that might be linked to the one that was compromised

If the phished account contains banking or credit information, he said it is important to also monitor credit reports or have credit agencies place a note on the account to notify the owner of any new activity, such as loan applications.

For extra online security, McGrew said people should regularly change their account passwords and, most importantly, use strong passwords that include letters, numbers and symbols. An account doesn’t need to be phished if the password can be easily guessed, like the ones on Mashable’s list of the year’s worst passwords.

McGrew said software such as Keepass, can help people protect their accounts by recommending strong passwords and saving active ones in an encrypted file that can be stored on an external digital storage device. He also recommends keeping a record of active account and password information with other important household documents.

“Phishing attacks happen everyday, but you don’t have to be a victim,” McGrew said. “Just be aware, be cautious, and be prepared to take action if you are targeted.”

Susan Lassetter | Bagley College of Engineering

All Current News