Topic: Privacy Protection|Level: Beginner
What is Phishing?
More specifically what I'm referring to is "website forgery". It's a scam where you are taken to a website and asked to log in. However the website you're taken to is not the real website; rather it's a malicious group that has built a site that looks just like the original site and when you try to log in they record your username & password.
So how do you protect yourself?
If you're ever on "Site A" and click a link to "Site B" you potentially could be on a phishing site.
What you have to do is look at your browser's address bar and know the real "domain name" of the site you want.
The domain name is the shortest, simplest part of a website such as "blogger.com", "twitter.com", or "wikipedia.org". A company can prefix their domain name with any number of subdomains they wish. These subdomains will always come before, to the left of the root domain name. So en.twitter.com is still twitter.com, but twitter.somebadthing.com is not twitter.com, it's somebadthing.com which would probably have nothing to do with twitter.com. somebadthing.com would probably then make their homepage to look just like twitter.com complete with the login fields. You then log in, they record your credentials and can even then forward you through the real twitter.com login so you'd probably never even know you just got phished.
So any time you're about to log in to a website that you didn't enter the address in your browser's address bar yourself always check the address of the page before you log in.
An entire website address will start with a protocol ("http://" or "https://"), then may have any number of subdomains before the root domain. But they all will come before any slash ("/") characters.
So...
http://www.twitter.com/ is twitter.com; safe.
https://register.facebook.com/editaccount.php is facebook.com; safe.
https://bankofamerica.com. somebadthing.com/ is somebadthing.com; not Bank Of America. Putting a legitimate name as a subdomain of a malicious name is a common way to trick people.
http://security. somebadthing.com/facebook.com/login.aspx is still somebadthing.com. Putting the legitimate domain name as a subfolder (after the "/") is another way.
http://www.myspace.net/ is myspace.net; not myspace.com Using a different root name such .net instead of .com could be used for phishing. Although most companies when they register a .com name, they also get .net and any others that are appropriate and then if you use the .net they automatically direct you back to the .com. But still to be safe always use the one you know for certain is the one you want.
http://www.wikepidia.com is not wikipedia.com. Using a misspelled domain name is another way.