Tackling Phishing Attacks

Safety with SBBJ Online | Tackling Phishing Attacks | Tips for creating secure password

What is phishing?

Phishing is a fraudulent practice of obtaining personal or private information like credit card details, passwords etc. by deceit and the use of social engineering( i.e. gaining information through innocuous informal conversations) and using such information to perpetrate financial frauds i.e. to use credit card details to shop online or to empty the unsuspecting victim’s bank accounts.

In a typical phishing attack the victim gets a seemingly legitimate e-mail luring them to a spoofed web site( i.e. a website which is not what it appears to be; which for example could look similar to the user’s on line bank but is in reality, a site hosted by someone with malicious intent) where they are advised to log-in with their user-id and passwords and also reveal other sensitive information like credit card number/PIN etc. In most of these mails bait is thrown to the unsuspecting victim like promising them a free gift or a one time waiver of fees or even threatening them with events like their user-ids being deactivated unless they key in certain information.

Phishing is a malicious software which has to reach a user’s computer in one of the three identified ways:

• E-mail: In most cases, mass mailing is used, thereby adding the negative effects associated with spam to the problem of phishing.

• Specially-crafted websites: Most common are banners advertising a bank that actually point to carefully crafted, but fake website.

• IRC (Internet Relay Chat) or instant messaging.

How can we avoid being victims of such attacks?

The most important aspect to bear in mind in order to avoid becoming a victim of a phishing attack is to be cautious and wary of any type of communication, which asks for personal data. A few dos and donts can go a long way in preventing or at least reduce the impacts of such attacks.

Do's :

• If in doubt over any e-mail received which appears to be a phishing message, the best thing to do is always contact the bank in question and verify its legitimacy.

• Look for Website seal approvals (Verisign, BBBOnline, TRUSTe, PwC Better Web, CPA WebTrust, Clicksure, etc.) and Click the seal to verify the site’s authenticity.

• Carefully look at the URL to make sure that one is not transacting on an imposter’s site.

• Be cautious of sites that display IP address and not domain name.

• Before sending the information, verify that the connection is ‘secure’( the address bar should start with https://…. instead of http://….) Look for the SSL lock at the bottom of the browser.

• Check the Digital Certificate wherever applicable.

• Install / update the Anti-Virus s/w regularly.

• Regularly check your online accounts/ statements to ensure that all transactions are legitimate.

Donts:

• Do not open unknown email attachments; Save the file to hard disk, disconnect the internet connection, scan it for virus, and then open it.

• Never download screen savers, wall papers, images, jokes, etc. from un-trusted sources, even if they are appealing.

• Never provide any personal information like passwords, PIN, credit/debit card information etc. to any entity in response to any e mail request.

• Never click on any hyperlink (Click here option)provided in any e-mail. Instead open the website by typing the correct URL on the addressbar.

• Do not fill out forms in email messages that ask for personal financial information.

• Do not do your banking or other sensitive transactions from a cyber cafe.

1. Some Fraudulent E-Mail messages
   
   Don’t forget to trust your instincts. If an e-mail message looks suspicious, it probably means it is. The following are few phrases to watch for in an e-mail:

• “Dear Valued Customer” - Phishing e-mail messages are usually sent out in bulk and do not contain your first or last name.
   

• “If you don’t respond within 24/48 hours, your account will be closed” - Phishing email messages try to scare the customer into divulging personal financial information.
   

• “Verify your Account” - Bank will not ask customers to send passwords, login names or other personal information through e-mail for verification of their accounts.
   

• “Easy Money E-Mail hoax” - emails requesting customer to fill in a form containing personal financial information to enable transfer of money.

2. Be wary Of Fake Internet Banking site
   
   Another common technique that phishers use is a URL in a phishing mail that at first glance appears to be the name of the internet banking site of the bank but is slightly altered by intentionally adding, omitting or transposing letters. Our bank’s Internet Banking site, which is sbbjonline.com, could be deceptively written as onlinesbbj.com. Other ways to disguise URLs include substituting similar-looking characters. A zero can be substituted for the letter O within a URL -sbbjonline.com could be written as sbbj0nline.com in a false link by phisher (note zero used instead of letter O). Similarly, digit 1 can be substituted for the letter I within a URL. If customer suspects the message is not authentic, he should immediately call the bank on the telephone, or log onto the bank’s website by typing in the Web address (www.sbbjonline.com) in the browser’s address bar.

3. Avoid using ‘Click Here’ option provided in an email to go to a web page especially if the e-mail message looks suspicious. Instead, type in the correct URL in the browser’s address bar to avoid going to fake website.
    

4. Always use a secure website when submitting account number, password, credit card/ debit card number or other sensitive information via Web browser. Look for the SSL lock at the bottom of the browser and check the beginning of the Web address in browser’s address bar - it should be "https://" rather than just "http://".
    

5. Regularly check your online accounts/ statements to ensure that all transactions are legitimate.

Follow the above precautions and keep off a Phisher’s hook.