Identity Phishing and Computer Security

By: Charly Leetham


Let's start with the basics.

Personal Information

This is information that allows an organisation to identify you, as you. You know that when you contact the bank, your insurance company or just about anyone that has personal information about you, you are required to prove your identity.

This process of proof generally comprises you being able to supply your Name; Date of Birth; and Address.

On Websites, the proof of identity is typically easier, requiring you to know your USER ID and Password.

Forget your Password or UserId?

I do all the time! In this day and age, I have to keep 10s of user ids and passwords and I don't mind admitting that I forget one or two of them from time to time.

For most sites, this isn't an issue. I simply request a password reminder and it is provided to my registered email address.

My logins to Financial Institutions is not that easy to retrieve. I'm required to contact the Call Centre, prove my identity and then the Bank will reset my password. EBay and PayPal have a similar process, conducted online.

So what happens when someone else can provide this information? They could well gain access to my personal and private information, or even my financial information.

Rest assured! Most organisations have a multi layered system and posing as someone else is becoming increasingly more difficult - but that doesn't mean people won't try.

How do these people get this information?

Phishing (pronounced Fishing) is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as user names, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.

Have you ever received an email requesting that you visit a familiar website and update your personal information? I can almost guarantee that, if you are online and have email address, you have received at least one email telling you that you need to confirm your online banking details!

When you visit the website, it needs you to verify or update your passwords, credit card numbers, social security number, or even your bank account number.

You recognise the business name as one that you’ve conducted business with in the past. So, you click on the convenient “take me there” link in the email and proceed to provide all the information they have requested. Unfortunately, you find out much later that the website is bogus. It was created with the sole intent to steal your personal information. You have just been “phished”.

"Phishers" will then use this information to gain access to your personal accounts, using the forgotten password type scenario, to exploit them.

Can you identify a "Phishing" attempt and how can you protect yourself?

Firstly, it is not always easy to identify a "phishing" attempt. If you are "phished" - don't beat yourself up too much, it can happen easily.

Let's examine Email "Phishing":

"Phishing" Emails are incredibly professional and, when placed side by side with an email from the legitimate organisation look 100% identical. That's because these guys actual use the graphics etc from the real organisations webpage.

It is very easy to set the "From" address in an email to be something else, not the email address it is really sent from. E.G My send email address may really be [email protected] however, I can easily configure my email client show the send address as [email protected] When you receive the email from me, you could not tell by the "From" address that it was sent from me.

The clickable link within the email also appears to take you to the correct site, when in fact it takes you to a fraudulent site. In a lot of cases, the fraudulent site will also download some "malware" to your computer which generally monitors your web usage and, in some cases, logs keystrokes and sends them back to the "phishers". Keystroke "malware" is dangerous - it can monitor passwords and user ids and leave you open for even more exploitation.

Many of these people are professional criminals. They have spent a lot of time in creating emails that look authentic. Users need to review all emails requesting personal information carefully. When reviewing your email remember that the "From Field" can be easily changed by the sender. While it may look like it is coming from an address that you do business with, looks can be deceiving.

So what can you do? Here are some guidelines to follow when you receive an email requesting information:

1. NEVER click on the links within the email. If necessary, write the address provided down and manually enter it in your browser window.

2. If necessary, contact the organisation directly and ask if they requested that information.

3. Check the organisations security policy online. This will define how information will be requested etc.

4. Make sure your AntiVirus and AntiSpyware software is up to date.

5. If in doubt, DO NOTHING with the Email.

What about Phone "Phishing"?

With phone calls, you should always ask the caller to identify themselves. Ask them to provide the Company Name; and their name or an operator number. If you are concerned, ask for a phone number that you can call them back on.

Find the organisation they say they are representing in the phone book and contact them directly. Ask if they are conducting a campaign.

On a final note, I really object to being contacted by an organisation and then being asked to provide personal information, so they can confirm that they are speaking to the right person. What about my right to determine they are who they say they are? After all, they've called my phone number.....

Unfortunately, there appears to be no process for the authentication to be two way. I generally request a Reference ID and a return contact number. I then confirm the return contact number against the details that I maintain and call them back. If they are unwilling to provide this type of information, I request they put their concern or offer in writing to me. If they are who they say they are, they will have my mailing address.

In conclusion, Identity Theft is a real thing. "Phishing" is a common means of gaining someones personal information in order to masquerade as that person - generally for exploitation.

Article Directory: http://www.articletrunk.com

| More

------------------------------------------------ About the author Charly Leetham has worked for over 20 years in the IT industry, specifically in the area of data communications and local area networking. Charly is a qualifed "tech", holding an Associate Diploma in Electronics Engineering. Her experience with Personal Computers ranges from building computers to providing 2nd level user support. Charly also holds a Masters of Business Admin (MBA), specialising in Internet Marketing. For

Please Rate this Article

 

Not yet Rated

Click the XML Icon Above to Receive Security Articles Articles Via RSS!


Powered by Article Dashboard