What is Phishing?

Phishing is a phrase that is used to describe how a hacker attempts to get a user to type in their password on their website by sending them what looks like an email from their bank (or similar organisation)

The hacker would first create a new website, and will make it look exactly like another website such as a bank.  Then they would craft an email that looks like it was sent from a bank, but it will contains a link to the new fake website.

When the user receives the email, they are likely to believe it was sent from their bank, and so will click the link to login to their account.  As soon as the user completes the password, it is stored and forwarded to the hacker.  Since the website is not the real one, the user wont be able to login, so will just announce that the password entered was incorrect and redirect the user to the real website so that their second attempt will work.

Once the hacker has the password, they will then use it to login to your account.  They will transfer money from your account in to theirs, then transfer it again in to crypto currency so that it cant be returned to you.

How to detect phishing

Check where the email came from, often when you take a second look you may notice the email address is not quite right, or doesnt match the name at all, but sometimes the address can look perfectly fine since any email address can easily be spoofed.

The second thing to do is to look at the link its suggesting you visit.  Often the link displayed isn’t the actual address it will go to.  If you hover your mouse over the link, a small popup should appear displaying the actual link address.

Often the link address is just a short URL that doesn’t tell you much.  If this is the case, here is a tool that you can copy and paste the link to, and it will tell you where the link will lead: websiteplanet.com/webtools/redirected/

How to report phishing attempts

If you receive a phishing email, its important that you report it; which will help stop other receiving the same email, and makes sure the hackers don’t receive money for their scam.

There are a number of places to report phishing, and would recommend that most users action the first two tasks listed below.  If you really like to give the hacker a hard time, we suggest doing all of these steps..

Report the phishing email to your email supplier

Many email systems (such as gmail) have an easy option to report phishing emails back to them.  It works similarly to how spam emails are controlled.  If you right click on the email summary you may get an option to ‘Report Phishing’.  If there nothing within your email system to report it, then mark the email has ‘Spam’ or ‘Junk’ instead.  It will then move it to your spam/junk folder, but will also do so for future similar emails and often teaches the system to help other users too.

Report the IP address of where the email originated from

Every email has hidden header information which will also contain information of where the email really came from, including all the servers it hopped through to get your email server, so make sure you pick out the IP address of the originating server.  Sometimes the source IP is not a public IP address  (such as 192.168.1.1) which is no good; if this is the case, the next one in the list is usually the public IP address you need.

Once you have found the source IP address you need to do a whois lookup for it, which will tell you who is responsible for that block of IP addresses and where to email the people who are abusing it.  Email them; tell them which IP address was used to send the phishing email and when it was sent.  In most cases though these email address are not regularly monitored, sometimes not at all, or sometimes just reply back with link to where you can really make contact.

The IP whois information will often give the organisation name.  Do a normal internet search for that name to find their official website and see if they have any ‘abuse’ report forms, or other contact information which you can send the phishing details to.

Report website to the domain registrar

There are rules for which domain names can be used which is set by each of the registrars.  If you do a whois lookup on the domain name, it is supposed to tell you the owner information, but most of the time today this is obscured, but there will be information to which domain register was used.  Do an internet search for that registrar and you will often find a page on their website to report domains names which are being abused.  Submitting a report to the registrar with a link an example link will often result with the domain name being suspended; although it can take days or even weeks as there is often a review process before it happens.

Scammers tend use registrars which don’t comply very quickly to these these requests, registrars such as:

Report website to their hosting provider

For a website to be live, someone needs to be running the hosting server.  There are many server farms around the world, and nearly all of them will not tolerate their servers being used for phishing scams.  Use a DNS look up to find the IP address of the website, then use a whois lookup on this IP as to find who owns that IP block.  The owner of that IP block will be associated with the server hosting, sometimes its a single organisation, other times its two separate organisations but are closely working together.  Find the organisation name of the IP block and do an internet search as to find their website.  There will often be a link or a contact form to report web hosting abuse.