Spoofing, spamming, and phishing are dangerous means employed to steal a user’s identity or to gain unauthorized access to computing resources. Users can protect themselves from these malicious ploys by being very cautious when opening and replying to e-mail requests, and by being very protective of confidential information.
Spam is sometimes referred to as unwanted junk mass e-mail. It is defined in the California Business and Professions Code (Division 7, Part 3, Chapter 1, Article 1.8) as consisting of unsolicited commercial e-mail advertisements. Spam is a problem because it:
- May contain computer viruses that can cause serious damage to University resources (computers, systems, servers, etc.)
- May be sent by a counterfeit address that looks legitimate, thereby tricking recipients into taking a harmful action (like opening up a virus-infected attachment, divulging personal information, etc.)
- May be an annoyance to recipients
- May take up valuable storage space on computers and servers
- Is an increasing drain on operating budgets (cost of unproductive time, anti-spam software, additional hardware…)
- Uses valuable and limited network bandwidth
- May contain inappropriate content
Spoofing aims to trick users into taking actions that that aren’t in their best interest. For example, users might be tricked into believing false information or divulging confidential information, access authorization information, passwords, and other information. Spoofing can mean:
- Impersonating a person, organization, agency, or server without permission.
- “Faking the origin; for example, forging mail headers to make it appear that messages originated elsewhere. . . . These messages were not from the administrators, but from intruders trying to steal accounts. . . . it would be possible to 'filter' valuable information, possibly without the parties concerned ever knowing that it had occurred.” http://www.itsecurity.com/security.htm?s=703
Phishing uses spoofing in order to steal the user’s personal information. According to Webopedia, phishing is:
“(v.) pronounced 'fishing,' the act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information. For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a Web site look like a legitimate organizations site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information. By spamming large groups of people, the “phisher” counted on the e-mail being read by a percentage of people who actually had listed credit card numbers with eBay legitimately. Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting.”
- Don’t be fooled by “phishing” e-mails Take the SonicWALL Phishing IQ Test II and see if you can tell the phishing e-mails from the real ones: http://www.sonicwall.com/phishing/
- Follow best practices for handling junk mail.
- Check out a report issued by Canada's Department of Public Safety and Emergency Preparedness and the United States Department of Justice: Public Advisory Phishing: An emerging trend in identity theft (PDF file).