Identity theft and credit card fraud are probably familiar terms to most people and more and more people are becoming aware of what is known as phishing.

In this article we look at phishing and how to beat it!

What is phishing?

Phishing is a term given to the method of trying to extract personal information from someone without them necessarily being aware of what they are doing. It comes in many guises and often uses something call social engineering which is essentially hacking a human!

How to hack a human

I.T. administrators are becoming more and more aware of security and securing their systems. A hacker will always go for a systems weakest point and as the I.T. systems are rapidly becoming securer the potential hacker is having to find new weak spots.

In recent years this weak spot has become you, the end user. The hacker will play on your weaknesses, ignorance and trust which is what we call social engineering.

How does phishing work

Phishing is usually done via email although there are other methods including trojans and viruses so it is important to protect yourself. Free security tools and utilities.

In a lot of cases you will receive an email claiming to be from a well known business. Examples include :

• Banks and financial institutions
• Email providers
• E-bay and PayPal

The emails will usually ask you to go to a website to verify or update your details. They may claim there is some kind of problem with your account.

The email will contain a link that points to what looks like the official business however it is a fake and simply saves any details you enter so the hacker can use them.

How to avoid being a victim

Identifying phishing can sometimes be tricky and there are a number of ways to keep yourself safe. Below are some general pointers, however you recommend you check out some of the useful links provided in this article for more information.

• Always be suspicious of any emails requesting personal details of any sort.
• Do not follow links in emails that request details. Always visit a site by entering the web address in the address bar then navigating to the appropriate page. If in doubt contact the site directly using an appropriate email address or phone number.
• Never ever give out your bank card PIN to anyone under any circumstances!
• Always treat your email account username and password with the utmost care. It is the gateway to ALL your details and can be used to obtain further usernames and passwords by a hacker.
• Varify the address in the address bar is correct. An illegitimate address can often be disguised as a legitimate one.
  For example :
  http://www.ebay.com.authentication.dbnetsolutions.co.uk/login/auth?W4dED3eR could be a valid site address but it is NOT ebay's even if it looks like it.
• Varify any security certificates on secure sites as almost all sites requesting personal information will use an SSL security certificate.
• Monitor your bank statements and account details carefully and check and actions or transactions regularly.
• Change passwords regularly and try to avoid using the same username and/or password across multiple sites. This means if one account becomes compromised it is harder (but not impossible) for the hacker to obtain further account details.

What to do if you think you have been caught out

You may not know you have been caught immediately but is important you act quickly and calmly to cover all your bases and limit any further damage. You should keep detailed records of what you did and when and keep a record of all correspondence.

• Inform your bank if you have given out any bank details or any information that may allow a hacker to obtain bank details. It is advisable you close any account and open a new one.
• Inform the business concerned giving them complete details of how you were targeted and the details you provided.
• Change any usernames and passwords that you gave out or could be obtained. Don't forget to change password reminders.
• Inform any related parties. For example if your mistake could compromise friends or family or the company you work for you should make them aware of the situation so they can protect their interests.
• Change your email account if your email address is compromised making sure you notify everyone who may contact you including websites you have signed up to with this email account.

How to report it

Businesses who are targeted usually have some kind of fraud or abuse department which you can email details to. If you receive one of these emails you should always forward it on to them so that they can investigate and have the offending site shut down.

If you are fairly I.T. literate you can use trace routes and whois tools to identify the ISP who is hosting the offending site. No legitimate ISP wants this sort of site on their network and they will take steps to shut it down.

Conclusion

Phishing is a huge growing concern and many people and businesses are finding themselves being caught out. Yet with a little thought and education the risk of being caught out can be greatly minimized.

The good news is that businesses are taking steps to over come these issues such as user education and system security. In the next release of Internet Explorer (Version 7 which is now in beta testing) there are added security features which include anti-phishing.

Useful links

• Anti-Phishing Working Group
  Excellent information and advice on phishing and social engineering.
• Microsoft - Help prevent identify theft
  A very basic short article about preventing identity theft.
• Microsoft - Phishing FAQ
  Some of Microsoft's frequently asked questions on phishing.
• Internet Explorer 7 Beta testing
  For those users interested in up and coming technology.