phishing - detect it!

There has been a lot about phishing lately in the news, but I haven't seen much teaching folks how to detect and prevent it. Here are some ideas.

1. Sceptism. Most phishing promises things that are really unlikely.

Dear BancorpSouth Client,

This is your official notification from BancorpSouth that the service(s) listed below will be deactivated and deleted if not renewed immediately. Previous notifications have been sent to the Billing Contact assigned to this account. As the Primary Contact, you must renew the service(s) listed below or it will be deactivated and deleted.

Renew Now your BancorpSouth Bill Pay and Services.

If you are not enrolled at Web Banking, please enter your SSN as Username, and account number as Password.

SERVICE : BancorpSouth with Bill Pay.

Thank you, sincerely,

Tricia Doyle
Customer Service

Would this company (even if I banked with them) really cancel my account? Why do they need all this info that they already have? Suspect emails as being phony and you'll catch more of them as phony.

2. Never follow links from emails to any place where you enter any personal information. Type the URL manually in the address bar of your Firefox browser (or some other browser, if you must). They are ususally short URLs, but make sure you type them correctly. Better, bookmark them, and use the bookmarks. Some phishers try to get similar domains so that when you type "mycerditcard.com" you see a site that looks the same as "mycreditcard.com". Links in your email can say Get an IBM but take you somewhere different (click the link). Even worse, they often say things like www.ibm.com which looks like it would take you to IBM's web site, but it doesn't. Also, they will take similar sounding URLs to try to trick you, too. URLs like www.ibmcomputers.com sounds ok, but it is NOT IBM- who knows who it is. Don't click on the email links. The previous example sends people to:
http://???.nctu.edu.tw/bancorpsouthonline.com/CheckSession.php

The address is clearly bogus, can you see that? The .tw at the end of the first bit signals the country code, which is here Taiwan. It is in no case the bank's real website.

3. Emails are not necessarily FROM who they say they are from. There should be a way to look at the full email headers in your email. I can do this with GMail, as well as my UNC email. You can do this with hotmail, but it's clunky (surprise!!). Go to Options (upper right corner of the screen with your emails), then choose "Mail Display Settings" then set message headers to "full" then click OK. Now you'll see lots of weird headers with your email:

X-Sieve: cmu-sieve 1.3
Return-Path: 
Received: from email.unc.edu (mgate2.isis.unc.edu [152.2.1.95])
    by mailserv0.isis.unc.edu (8.12.2/8.12.1) with ESMTP id k1114G0a000372
    for ; Tue, 31 Jan 2006 20:04:16 -0500 (EST)
>>>>>Received: from gs0.media3.net ([63.74.122.251])<<<<<<
    by email.unc.edu (8.13.5/8.13.5) with ESMTP id k11141w4014944
    for <[MyEmailAddress]@email.unc.edu>; Tue, 31 Jan 2006 20:04:12 -0500 (EST)
Received: by gs0.media3.net (8.9.3/8.9.2) id UAA12769;
    Tue, 31 Jan 2006 20:00:03 -0500 (EST)
Date: Tue, 31 Jan 2006 20:00:03 -0500 (EST)
Message-Id: <20060203310100.UAA12769@gs0.media3.net>
To: [MyEmailAddress]@email.unc.edu
From: BancorpSouth Online Banking <customercare@bancorpsouthonline.com>
Subject: New message from BancorpSouth
Reply-To: BancorpSouth Online Banking <customercare@bancorpsouthonline.com>
Content-type: text/html

Note that the "from" says "bancorpsouthonline.com" but there is nothing about that in the rest of the header. Instead, the header says it comes from "Received: from gs0.media3.net ([63.74.122.251])" (I added the pointers there) which is not the bank. This may be a bit of overkill, but it is helpful in describing why you shouldn't click on links from you email, nor trust the "from:" line in email. This is stuff not a lot of people know.