Monday, June 30, 2008

Don't be phooled by phishing

I got an email on Friday which went: "From HSBC. Dear Sir, We have detected fraudulent charges on your credit card. Please verify your account information by clicking the following link." Looks familiar? This was one of a thousand "phishing" scams going on as you read this article.

Phishing, a deliberate twist on "fishing", is a very simple scam. Scammers throw out a net, using email, luring as many fish as they can. Those who fall for it soon become victims of fraud.

How does phishing work? An email is sent stating account suspension, fraudulent charges, scheduled maintenance or even refunded charges - anything to warrant your attention. You are requested to "verify your account" by clicking a website link in the email. The website is fake, dressed up identically as an e-banking website. You naively submit your account number, password, birthdate, security code, etc. and the site says "Your account is verified". You have just been caught. In seconds, your account information will be traded for cash through underground Internet channels.

Last year, almost 30,000 phishing incidents were reported every month! Phishing websites last for a day or two, enough to ensnare millions. Most emails target financial organizations. A few target eBay, PayPal and Google AdSense. Others offer free software - screen savers, smiley icons, e-greetings, which installs viruses that monitor every keystroke.

Phishing is a psychological attack. It succeeds because we trust electronic media without verification. Here are some simple tips on how not to get phished:

1. Do not click on website links in emails. If unsure, call your bank or card company about what the email says.

2. Phishing is not limited to just email. Voice phishing, via phone calls, is on the rise. If you receive a call asking for account information, get the caller's name first and ask for a toll-free number to call back.

3. If you are adventurous, deliberately fill in bogus account information in such websites. If it is accepted, you know you have interacted with a phishing site!

4. Do not rely entirely on anti-phishing browser toolbars. They work for a majority of phishing sites, but newer sites slip through.

5. Certain email providers, such as Gmail, issue phishing warnings. Verify if your email provider offers such services.

Lastly, stay well informed. The Anti Phishing Working Group (APWG) at has reports on the latest phishing activities, vigilance tips and self-help resources for phishing victims too. I hope this helps you avoid the dark alleys of the information super highway!

Published: Times of India, Ahmedabad, 2-Jul-08

No comments: