Block a “phishing attack” and your company is safe for a day. Teach your company’s employees how to spot phishing attacks and your company is safe for life.
Phishing is a technique that hackers use to steal information or plant malicious code on someone’s computer. The hacker sends emails pretending to be a legitimate business–a bank for example–and instructs recipients to follow a link, which leads to a Web site that looks legitimate, but is really controlled by the hacker.
Here are five Web addresses. Can you tell which are real and which are run by a hacker? (Answers at the bottom of the post.)
1) http://ebay.verification.co.uk
2) http://www4.da-us.chase.com/cgi-bin
3) http://secure.citibanking.net
4) http://pages.ebay.com/services/forum/feedback.html
5) http://www.secure-account.com/regionsbank
Filtering technology can catch some of these fake sites, but not all. “These filters aren’t as adaptable as the human brain is,” Lorrie Cranor, a professor at Carnegie Mellon University, tells the Business Technology Blog. The best defense is training employees to spot these attacks if they want to keep their data from falling into the wrong hands.
The problem, of course, is that nothing sounds more mind-numbing than computer security training. So Cranor and her colleagues invented a game that helps teach people how to spot fake Web sites. The game features a fish named Phil who has to choose to eat or reject different worms based on the Web addresses they represent. When he gets hooked by a hacker his dad comes out and gives him a security tip. (You can play the game here.)
It’s silly, but Cranor tells us that the silliness is part of the game’s charm. Best of all, it works. People took a quiz similar to the one above before and after they played the game and then again a week later. Scores were up after the game and stayed up over time.
Cranor tells us that representatives from around 20 companies have asked if she can design a version of the game for them, including the U.S. Air Force. That organization’s only request: “They said they would appreciate a way to make it more Air Force-y,” she says, adding that she’s working on it.
Quiz answers: 1) Fake, 2) Legitimate, 3) Fake, 4) Legitimate, 5) Fake
The part of the address that matters comes just before .com or .net (or in the case of the first address in the quiz .co.uk, which is the address scheme for the U.K.). Many legitimate sites have letters other than www before the company name. Similarly, anything that comes after a / just represents a particular page on a site. If you aren’t sure if the site really belongs to a company try Googling the company name.