Phishing in a troubled Web

Whenever I’m deleting spam from my official e-mail account—and that’s pretty often, since my e-mail address is widely published and publicised—I’ve always wondered who on earth could possibly be idiot enough to fall for all the bizarre schemes and scams in that spam. Well, it turns out that at least a couple of million folk in the US have been so conned, if a recently-published study by research-firm Gartner is anything to go by.

The Gartner study covered a particularly crafty and dangerous form of spam known as phishing. A phishing attack is one in which you receive a fraudulent e-mail purporting to originate from a legitimate financial institution, bank, online shopping site or similar outfit. The e-mail usually has a link that takes you to a site disguised to look like the original, wherein you’re asked to enter your credit-card details, account passwords and other personal information based on some ingeniously contrived pretext or the other—which obviously seems even more plausible and above-board if you are a customer or user of the website or service in question. The information thus gleaned could then be used by cyber criminals to purchase goods and services, transfer money from accounts or commit even more sinister crimes using the stolen identity.

The Gartner study says that 57 million Americans received phishing e-mail in the last 12 months, 11 million actually clicked on the links provided in the mail, and a whopping 1.78 million swallowed the bait and gave away their personal or financial data to the phishers. The resultant identity theft fraud against these phishing victims forced US banks and credit-card companies to cough up around $1.2 billion last year.

Veteran Net surfers find it hard to believe how anyone can fall for such obvious scams, but you need to take just one look at newbies fumbling through basic Web navigation and e-mail handling to realise how vulnerable they really are. Perhaps we’ve all made mistakes while cutting our Web teeth, but that was luckily at a time when things were much safer online and e-commerce was anyway virtually non-existent. But phishing is a rapidly growing menace (as anyone who regularly uses e-mail would testify), and while the current targets are mostly American users of U.S. Bank, Citibank, eBay and PayPal, it won’t be long before Indian banks are targeted too. Indeed, recently, a phishing website purporting to be an official fund-raising operation for the US presidential candidate John Kerry, was actually registered in Jaipur.

Okay, so you need to be gullible to bite the phishing bait. But even if you’re the vigilant and wary type, you could be the unwitting and inadvertent victim of another growing Internet threat—spyware. At its most benign, spyware is euphemistically known as adware, an innocuous program which displays pop-up ads as you surf the Net. Usually, such adware is bundled along with shareware, freeware, or peer-to-peer software that the user has voluntarily downloaded. A more sinister form of spyware is the type that automatically and stealthily installs itself on your computer when you have merely visited a particular website. This spyware tracks your online activities and then when you visit specific sites, sneakily pops up advertisements of those sites’ competitors or other rival services. At its most menacing, spyware could be designed for ‘keystroke logging’, an extreme (and rare) form of phishing in which the spyware records and transmits every keystroke typed by the user, among which could well be passwords and credit-card numbers.

Scary enough for you? Wait, there’s more. Even if you manage to steer clear of phishing and spyware, you may have to suffer because of security lapses on the part of your legitimate online-shopping site. I shop quite a bit on popular Indian shopping websites and was horrified to suddenly notice one fine day that on one of those websites the credit-card information was being solicited and transmitted on a non-secure page! Apparently, changes in the site architecture caused the slip-up, which since seems to have been fixed. The same site offers to store your credit-card info on its servers to save you the trouble of re-entering the details each time you buy something. Fat chance!

In fact I’ve now come to the conclusion that it’s wise to never reveal your primary credit-card number online (except, of course, directly on your actual bank or credit-card website, which hopefully is more secure than Fort Knox). Am I recommending then that you stop all online shopping and e-commerce? No way! The many benefits of shopping online—including unmatchable convenience—far outweigh the risks. Minimise or eliminate the risks by instead using a virtual card with a virtual number for one-time use, with a specified limit and validity period—in many ways, this option is even safer than using a physical credit card in the real world. I’ve found that HDFC Bank’s NetSafe facility serves this purpose quite adequately, and in the rare event that your virtual card does get misused, your liability, if any, would be a very limited one indeed.

As for the threat of phishing, simply do not reveal financial details or passwords in response to an e-mail request to do so, even if you have dealt with the company before, and no matter how authentic the request seems. And, one of the simplest and most effective ways to weed that spyware out from your personal computer is Patrick Kolla’s freeware program Spybot Search & Destroy. Stay online certainly, but do stay safe.

Val Souza, Editor

valsouza@expresscomputeronline.com