Sunday 11 May 2008

Phishing for trouble

When you get an e-mail warning of a problem with your account, ignoring it can save you from being conned.


Once you are in the phisher’s net, he or she tricks you into giving away valuable information. — Filepic


There is an old Father Brown story that tells of how master thief Flambeau repaints the doors and gates along an entire street in order to fool a messenger into delivering a valuable parcel to his house instead of to the proper address on the next road. Today’s, thieves are still pulling the same scam – but online.

Phishers (pronounced “fishers”) create websites that look just like the one from your bank, online bookstore, or other familiar destinations. They then get you to visit their fake website by sending you an e-mail, SMS, or instant message that contains a link.

If they are imitating your bank, the link will have your bank’s name in it. If they are imitating your favourite betting portal, it will look like the proper address.

If you click on it, you are transported to the fake website, set up to look familiar.

Once you are in the phisher’s net, he or she will trick you into giving away valuable information.

If the phisher is local, they may fake you into giving up your bank account number and ATM password. By the time you realise what’s happened, they’ve raided your bank account.

If the phisher prefers the anonymity of plastic cash, they may imitate an online shop to get you to place an order with your credit card. When you fill out the form to take advantage of that “bargain”, they capture your name, address and credit card details.

The phisher can now go on a spending spree – and have you pay the bill!

Finding yourself broke and in debt isn’t the worst that can happen either. Criminal organisations look to get as much information as they can from you so they can fake your identity. Selling these details to illegal immigrants, crooks and even terrorists is big business.

UK citizen Simon Bunce was arrested four years ago after an ID fraudster used his credit card details on a child porn website. Fortunately, Bunce could prove that someone in Indonesia was using his credit card details in Jakarta at a time he was in the UK.

But because it took months for these details to be discovered, he lost his job and was ostracised by family and friends.

Phishing was first reported way back in 1987 but the term is only now becoming generally understood, thanks to the booming popularity of the Net for banking, shopping and other transactions.

PayPal announced it blocked 50 million phishing-related e-mails between Oct 2007 and April this year, but nobody knows exactly how big the problem is.

Reporting is complicated as phishers work across borders, and many victims never connect their online activities with subsequent problems, like their bank accounts being raided or their passports being faked.

In addition, fraud is now so common, that companies and law enforcement agencies in many countries don’t even bother following up on what they consider “small cases”.


Spotting the phisher

Typical phishing messages have headers that spell trouble such as: “Your eBay account suspended”, “Billing issues” and “Payment problem notification”. It looks something like this:


Dear Member,

This e-mail was sent by our bank server to verify your e-mail address. You must complete this process by clicking on the link below and entering in the small window your bank ATM/Debit Card number and PIN that you use on ATM.

This is done for your protection - because some of our members no longer have access to their e-mail addresses and we must verify it.

To verify your e-mail address and access your bank account, click on the link below:


Phishers often imitate banks, eBay and PayPal: any group that will have your personal and banking details.

But there is no limit as to who they will impersonate.

In Australia in April this year, phishers used the name of the New South Wales Police Force’s fraud squad commander to con citizens into believing they were being targeted by identity theft rings. The victims who fell into the trap handed their bank account details to “the commander”.

Phishing doesn’t just happen online either. As telephone systems connect to databases, thieves take advantage of auto diallers and computer software to sweep whole districts for victims.

A popular scam starts with an automated phone call, where a “court officer” claims you are required to testify in a fraud/theft/money laundering investigation.

If you have a question, the recorded message states, you should press 0 and ask the operator for assistance.

Understandably, many people panic at this point and follow the instruction. They are then transferred to a “call centre” where a “court officer” demands their name, address, IC number, bank account details . . . every little personal detail the phisher can use to fake your credit card, bank book, passport and other important paperwork.

So what can you do to protect yourself?

Here are some general tips to keep in mind:

  • Think twice before handing out your IC number, passport or bank details – online and offline. Ask where this information will be stored and who will be sharing it.
  • If you receive e-mail, an SMS or a phone call asking for personal or financial information, confirm it is legitimate with a phone call to the bank or a personal visit to the offices.
  • Companies rely on e-mail to answer customer questions, send you adverts or information about promotions, but they will never ask you for account or personal information via e-mail. They know it’s too risky.
  • Spoof e-mail usually contains dire warnings to make you panic.
  • Never use a link in an e-mail, SMS, or instant message to get to your bank, eBay page etc. Go to the site by using your browser.
  • If you bank or shop online, keep a close eye on your account. Report unusual activity immediately.
  • Most false e-mail messages are addressed to the general public. Some may contain user names, the bit that appears before the @ in your email address, but they seldom contain your real name.
  • The golden rule: only give out sensitive information online when a secure transaction is offered. Never send sensitive information via e-mail, SMS etc!

The bottom line is to be super-cautious. If in doubt, follow your gut feeling and say no!


About secure transactions

When data is sent from one computer to another on the Internet, every other computer in between has an opportunity to see what’s being sent.

So when you give out sensitive information online like your IC or credit card number, check that you are offered a secure transaction.

Secure transaction sites use encryption software to scramble your personal information. This means nobody can read it except for the proper recipient.

(Note: Most online companies like Air Asia and Amazon.com let banks and other professional security bodies handle their online transactions so they don’t actually see your credit card information at any stage. All they get is confirmation that you have made the payment.)

When you are offered a secure transaction, you’ll get a pop-up notice in your browser. When you click through, an icon of a padlock and key will appear at the browser window. If it is closed, it means the page is protected. But, if the lock is open or broken, it means any information you give is not protected.

After you have filled out the form, always print out a copy of your order and confirmation number for your records.


Report it!

Report suspicious, malicious or criminal activity online and learn more about online scams and problems plaguing users in Malaysia by visiting MyCERT:

Malaysian Computer Emergency Response Team (MyCERT)CyberSecurity MalaysiaLevel 7, SAPURA@MINES7, Jalan TasikThe Mines Resort City43300 Seri KembanganSelangor, Malaysia
http://www.mycert.org.myTel: (03) 8992 6969 or 019-266 5850 (24/7 call incident reporting)SMS: 019-281 3801 (24/7 SMS reporting)Fax: (03) 8945 3442 (monitored during business hours)E-mail: mycert@mycert.org.my


Useful web sites

Get Safe Online http://www.getsafeonline.org

– A UK consumer organisation offering tips on how to keep your PC, your personal data and your family safe while enjoying the bounties online.

Anti-Phishing.org http://www.anti-phishing.org

– Explains why those fake e-mails look so good and offers a list of well-known phishing exploits.



Stories by MARIA DANIEL
Saturday May 10, 2008
http://thestar.com.my/lifestyle/story.asp?file=/2008/5/10/lifefocus/21158592&sec=lifefocus

No comments: