Gone phishing

Identity theft and credit card fraud are probably familiar terms to most people and more and more people are becoming aware of what is known as phishing.

In this article we look at phishing and how to beat it!

What is phishing?

Phishing is a term given to the method of trying to extract personal information from someone without them necessarily being aware of what they are doing. It comes in many guises and often uses something call social engineering which is essentially hacking a human!

How to hack a human

I.T. administrators are becoming more and more aware of security and securing their systems. A hacker will always go for a systems weakest point and as the I.T. systems are rapidly becoming securer the potential hacker is having to find new weak spots.

In recent years this weak spot has become you, the end user. The hacker will play on your weaknesses, ignorance and trust which is what we call social engineering.

How does phishing work?

Phishing is often done via email and sometimes messaging, although there are other methods including trojans and viruses so it is important to protect yourself. It can also occur when you visit a dubious website which tries to trick you in to entering details or “contacting support”.

In a lot of cases you will receive an email claiming to be from a well known business. Examples include :

• Banks and financial institutions
• Email providers
• Amazon, E-bay and PayPal
• Your ISP or telecoms company
• Service providers such as Microsoft

The messages will usually ask you to go to a website to verify or update your details. They may claim there is some kind of problem with your account.

The email will contain a link that points to what looks like the official business however it is a fake and simply saves any details you enter so the hacker can use them.

Sometimes users will be directed to make a call to support to resolve your problem and increasingly, you may also receive a call out of the blue.

How to avoid being a victim

Identifying phishing can sometimes be tricky and there are a number of ways to keep yourself safe. It’s a cat and mouse game and as technology and protection methods progress, so do scammers.

Below are some general pointers, however you recommend you check out some of the useful links provided in this article for more information.

• Be suspicious of any phone calls or messages your receive requesting personal details.
• Never ever give out your password, bank card PIN to anyone under any circumstances! No legitimate company will ever ask for these details.
• Always treat your email account username and password with the utmost care and where possible enable two factor authentication.
• Do not follow links in emails that request details.
• Visit important sites such as email and banking using the correct web address. Do not do it via search engines or email links.
• If you must access via other means, very carefully verify the address in the address bar and security certificate.
• If someone contacts you, be susious and you can always ask for a refernece number, hang up and call back on a number you can verifiy.
• Avoid using the same password across all websites as if one gets compromised, the others remain secure.

Remember it is easy for scammers to fake web addresses and to “spoof” (fake) website and email addresses.

For example : https://www.ebay.com.authentication.dbnetsolutions.co.uk/login/auth?W4dED3eR could be a valid website address but it is NOT ebay’s even if it looks like it.

What to do if you think you have been caught out

You may not know you have been caught immediately but is important you act quickly and calmly to cover all your bases and limit any further damage. You should keep detailed records of what you did and when and keep a record of all correspondence.

• Inform your bank if you have given out any bank details or any information that may allow a hacker to obtain bank details.
• Inform the business concerned giving them details of how you were targeted and the details you provided.
• Change any passwords that you gave out or could be obtained. Don’t forget to change password reminders.
• Inform any related parties. For example if your mistake could compromise friends or family or the company you work for you should make them aware of the situation so they can protect their interests.
• Ensure your email account is secure, change the password and enable 2 factor authentication if necessary.

How to report it

If it involves financial transactions or your bank, always make them aware. You can usually contact them through a fraud phone number.

Larger businesses who are targeted usually have some kind of fraud or abuse department which you can email details to. If you receive one of these emails you should always forward it on to them.

If you are fairly I.T. literate you can use trace routes and whois tools to identify who is sending or hosting the offending information and report it to the relevant ISP or hosting provider.

Security software companies (such as your virus checker) usually have email addresses to which emails can be forwarded too as this helps them imrove their software.

Conclusion

Phishing is a huge growing concern and many people and businesses are finding themselves being caught out. Yet with a little thought and education the risk of being caught out can be greatly minimized.

The good news is that businesses are taking steps to over come these issues such as user education and system security. In the next release of Internet Explorer (Version 7 which is now in beta testing) there are added security features which include anti-phishing.