|
Phishing attacks
Isabelle Raja
The easiest way to get something is to ask for it.
A phishing attack—a method particularly liked by online fraudsters to swindle
people out of their money is based on this axiom. Over the years, it has been
tried, tested and improved. Fortunately, perfection has not been achieved yet,
leaving a ray of hope for potential victims to escape.
The trap
When you receive an e-mail asking you to visit your bank’s web site, it
signifies the beginning of a phishing fraud. The e-mail would usually provide
a link to your bank’s web site and ask you to click the link. It would
ask you to provide certain confidential banking information like your account
number, credit card number etc., failing which your account would be doomed.
There would be a sense of urgency and panic in the e-mail.
At this point, if you are a worldly-wise person, and have been through your
bank’s web site literature, you would immediately sense the phony tone
of the e-mail. You would gently press the delete button and move on to the next
message.
Giving it away
If for some reason, you have no idea about phishing attacks, and you are not
particularly intuitive to danger, you will move on and act as the e-mail dictates.
You will click the link provided for your convenience. Again, a vague memory
from the past would nudge you. There is something amiss. The last time you visited
the bank, it was a different URL. If you stop here to try the bank’s URL
as you remember it, you will find out that the link you clicked is in no way
affiliated to your bank. You will be saved. But alas! If you gently pass this
step; you will find the phony page downloading and unfurling before you. It
would look exactly like that of your bank, complete, with the logo, content
and disclaimers. Whatever vague discomfort you felt about the URL would be removed
from your mind. You will begin entering your net banking id and password, which
promptly would get logged at the fraudster’s database. Once you log in,
you will be asked to provide your credit card number, or account number, or
both, whichever, the fraudsters are interested in. If even at this point, you
do not suspect foul play, you join the phishing victims. The next thing you
will realize is a feeling similar to that of waking up from a nightmare and
realizing it wasn’t a nightmare but reality. Your hard-earned money becomes
somebody else’s easy money.
The art of phising
This is typically how phishing attacks work. Recent phishing attacks were carried
out against customers of MSN, AOL, and e-bay. Customers of Indian banks like
ICICI and Citibank have also been targeted. Despite the growing awareness of
this kind of attack, many people continue to be victimized by such frauds. According
to www.antiphishing.org, 5 percent of all recipients of such fraudulent e-mail
fall victim to the scam. One of the main reasons for this attack’s efficiency
is its increasing sophistication. Even the target institution’s official
logo is forged in order to confer a sense of authenticity to the fraudulent
web page. These fraudulent e-mails look and read differently from the previous
ones so as to avoid recognition. According to reports from www.antiphishing.org,
the number of unique phishing attacks in the month of May 2004 was 1197. This
has rendered the task of identifying authentic communications from banks and
other financial institutions very difficult.
Protecting your treasure chest
Fortunately, many financial institutions in India are moving towards digitally
signed e-mail to their customers. Customers can verify the signature in the
e-mail before responding to them. This is an efficient way to identify fraudulent
e-mails, since there is no way fraudsters can digitally sign their e-mails with
the bank’s private key. However, if you are one of those whose bank does
not sign their electronic communications, it is imperative that you treat all
such communications to you with care. There is no reason to panic and most of
these attacks can be easily thwarted if you take the trouble to verify the authenticity
of the e-mail. Some of the things you can do to avoid being a victim of phishing
attacks, if your bank does not digitally sign e-mails to customers are listed
in the box, ‘Stop phising’.
The author is a security
consultant with Odyssey Technologies. He can be reached at bella@odysseytec.com
| 1. Check to see if the e-mail is indeed from your
bank and not from just any bank. If it isn’t,
stop reading further.
2. If the e-mail is not
personally addressed to you, it is most probably a fraud.
3. Check the language and
spelling of the text contained in the e-mail. If you find misspelled words
or substandard language, conclude that it is not from your bank
4. If the e-mail urges you
to act immediately without delay, failing which your account will be closed
down, stop reading it. It is not from your bank.
5. If there is anything
that even remotely feels wrong, stop. If something feels wrong, it is
most probably wrong.
6. Never click any link
given inside the e-mail message. Instead, directly type the URL of the
financial institution.
7. If you do not know the
URL of your bank’s web site, take the time to call them immediately
to find out.
8. Never provide your personal
information to anybody, come what may.
|
|
