24 Jan 2011

How to avoid being phished.

Yes, I spelt that right. Phishing is actually a word :-) Internet-based banking has led to a substantial increase into internet based fraud. One popular method of extracting your private internet banking related details is through the use of “phishing” by email. Here’s a walk through of what such an attempt would look like. The idea is to learn to spot such attempts and remain safe.

To begin with, according to Webopedia, phishing is:

The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft.

Phishing usually starts with a simple looking email. Like the one shown below, it sometimes comes with an alarming subject line! It relies on you panicking – so you can act without thinking. This is exactly what you need to avoid.

Phishing_1

Let’s carefully examine the above email. It is not what it seems to be. To begin with, official emails will usually address you by name. Secondly, for things like accounts being locked – it’s common practice for banks to ask a customer to call their telephone lines. These two points alone should be enough to raise your suspicion.

But this is a techie blog, so here’s how technology comes to your rescue. A little known fact about most modern web-browsers is that if you hover your mouse over a link (i.e. hold it over one without clicking it), you should see the actual URL (a more precise term for a website link) that it points to. The first sign of suspicious activity is when, as in the above example, the URL does not start with a http://www.hsbc.co.uk which is the well-known address of the bank in the example - HSBC.

If you go ahead and click it (which is not usually a good idea), what you seen on the screen should be nearly identical to the original website. The set of signs that should make you suspicious are – the URL in the address bar does not start with or contain the banks original website address – hsbc.co.uk.

Click on the little icon next to the URL to view the security information for this website (again, a very useful feature offered by most modern web browsers). Not very surprisingly there is no security information present.

Phishing_2

The screenshot below shows an example of what this would actually look like for an authentic bank website.

Phishing_3

The “certificate of authenticity” shown above is the easiest and a fool-proof way of identifying authentic websites of almost all good organization on the internet. Check this out the next time you visit the website for your bank, utility company, your email account or pretty much any other important company.

So, in summary, here are a few tips:

  1. if you have an email that looks alarming – don’t panic. Keeping a cool head will go a long way in helping you stay protected.
  2. Make sure you have a fairly modern browser. These come equipped with the more recent security measures. I highly recommend ones like Mozilla Firefox, Google Chrome and Opera in no particular order. But there are many more out there.
  3. Ensure that the first part of your URL starts with a https:// (the “s” at the end stands for secure). An important fact is that most modern web-based services will have a “secure” equivalent. For example, http://www.gmail.com can be substituted with https://www.gmail.com (note that change in the first part) and will work exactly the same. For Firefox users, go for the one called HTTPS everywhere which will help you automatically switch to the secure URL.
  4. Even if you do feel compelled by the content of the email you have received, contact the organization by phone to verify it’s contents.

Oh and what about the email that started this all? Deleting it would be the easy thing to do. But help out by reporting such emails. Gmail, for example, has an option to report such “phishing” attempts with an extra click. See screenshot below.

Phishing_4

Most good organizations will usually have a phishing@ email address (for example, phishing@hsbc.com) where you can forward such emails to help their security teams act on such websites.

I hope this post was useful to you. Do you have any other tips that you can share with me? I’d live to read them. Please put them in a comment box below this post.

Please also feel free to point out any mistakes or ask questions.

Here are some useful links and further reading: