What is Phishing?

Phishing is a phrase that is used to describe how a hacker attempts to get a user to type in their password on their website by sending a fake email to user.

The hacker would first create a new website that looks like just like another website such as a bank, then creates an email that looks like it was sent from a bank which contains a link to the new fake website.

When the user receives the email, they are likely to believe it was sent from their bank (if they do bank with them), and click the link to login to their bank account, except they are not realising the website they are looking at is a fake clone.  As soon as the user completes the password it is stored and sent back to the hacker.  The website will likely say the password is incorrect, or redirect them to the real website for them to try again.

Once the hacker has the password, they will then use it to login to your account as to take control over it.

How to report phishing attempts

There are a number of places to report phishing, and would recommend that most users action the first two tasks, but if you really help to make sure its taken down quickly and give the hacker a real headache, we suggest doing all of these steps..

Report the phishing email to your email supplier

Many email systems (such as gmail) have an easy option to report phishing emails back to them.  It works similarly to how spam emails are controlled.  If you right click on the email summary you may get an option to ‘Report Phishing’.  If there nothing within your email system to report it, then mark the email has ‘Spam’ or ‘Junk’ instead.  It will then move it to your spam/junk folder, but will also do so for future similar emails and often teaches the system to help other users too.

Report the IP address of where the email originated from

Every email has hidden header information which will also contain information of where the email really came from, including all the servers it hopped through to get your email server, so make sure you pick out the IP address of the originating server.  Sometimes the source IP is not a public IP address  (such as 192.168.1.1) which is no good; if this is the case, the next one in the list is usually the public IP address you need.

Once you have found the source IP address you need to do a whois lookup for it, which will tell you who is responsible for that block of IP addresses and where to email the people who are abusing it.  Email them; tell them which IP address was used to send the phishing email and when it was sent.  In most cases though these email address are not regularly monitored, sometimes not at all, or sometimes just reply back with link to where you can really make contact.

The IP whois information will often give the organisation name.  Do a normal internet search for that name to find their official website and see if they have any ‘abuse’ report forms, or other contact information which you can send the phishing details to.

Report website to the domain registrar

There are rules for which domain names can be used which is set by each of the registrars.  If you do a whois lookup on the domain name, it is supposed to tell you the owner information, but most of the time today this is obscured, but there will be information to which domain register was used.  Do an internet search for that registrar and you will often find a page on their website to report domains names which are being abused.  Submitting a report to the registrar with a link an example link will often result with the domain name being suspended; although it can take days or even weeks as there is often a review process before it happens.

Scammers tend use registrars which don’t comply very quickly to these these requests, registrars such as:

Report website to their hosting provider

For a website to be live, someone needs to be running the hosting server.  There are many server farms around the world, and nearly all of them will not tolerate their servers being used for phishing scams.  Use a DNS look up to find the IP address of the website, then use a whois lookup on this IP as to find who owns that IP block.  The owner of that IP block will be associated with the server hosting, sometimes its a single organisation, other times its two separate organisations but are closely working together.  Find the organisation name of the IP block and do an internet search as to find their website.  There will often be a link or a contact form to report web hosting abuse.