Just when we thought we were becoming web-savvy, the rules of the game have changed again! According to a January 2005 article from The Register, fraudsters are now using more advanced techniques to attempt to swindle you out of your hard-earned money or to steal your identity. 

The Anti-Phishing Working Group (APWG) explains that phishing "attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials" while the next generation of phishing, called pharming, "misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning".  Pharming tricks your computer into accepting a false translation so that information you intended for legitimate services is instead or also directed to the pharming websites.  An example of this technique is described by Freedom to Tinker:

"If your computer accepts a false translation for 'citibank.com,' then when you communicate with 'citibank.com' your packets will go to the villain's IP address, and not to the IP address of Citibank. I'll omit the details of how a villain might do this, as this post is already pretty long. But here's the scary part: if a pharming attack is successful, there is no information on your computer to indicate that anything is wrong. As far as your computer (and the software on it) is concerned, everything is working fine, and you really are talking to 'citibank.com'. Worse yet, the attack can redirect all of your Citibank-bound traffic -- email, online banking, and so on -- to the villain's computer." -- Edward R. Felten

Successful phishing or pharming scams withdraw money from electronic accounts without the victim's knowledge or intention, or steal the victim's identity so that it can be used for unlawful purposes which typically leave the victim in poor standing with one or more financial institutions.

APWG offers useful tips to help you avoid becoming a victim of phishing or pharming:

• Be suspicious of any email with urgent requests for  personal financial information
• Don't use the links in an email to get to any web  page, if you suspect the message might not be authentic
• Avoid filling out forms in email messages that ask  for personal financial information
• Always ensure that you're using a secure website  when submitting credit card or other sensitive information  via your Web browser
• Consider installing a Web browser tool bar to help  protect you from known phishing fraud websites
• Regularly log into your online accounts
• Regularly check your bank, credit and debit card  satements to ensure that all transactions are legitimate
• Ensure that your browser is up to date and security  patches applied
• Always report "phishing" or "spoofed" e-mails

Visit the following resources to learn more about phishing and pharming prevention,  scam advisories, and to report yourself as a victim of phishing or pharming:

• Anti-Phishing Working Group
• Privacy Rights Clearinghouse - Identity Theft:What To Do if It Happens to You
  >
• Federal Trade Commission - How Not to Get Hooked by a 'Phishing' Scam
• Department of Justice - Special Report on Phishing
• Government Computer News - Is a new ID theft scam in the wings?

Author: Stefanie Ploof, CIT Client Services / CALS IT Office