Subscribe to Newsletter
Google
  

Articles
Beware of the H-4
The Great Indian Talent Hunt
Yahoo!’s Got Peanut Butter All Over
CLINTON GLOBAL INITIATIVE
Google + YouTube = GooTube?
Companies That Can Change The World
Web 2.0
The Asian Work Challenge
First time flyers
If Compliance be the food of corporate security: Munch on
Reverse Migration
Shades of Ancient Rome in Call Centres
Mobile Business Studio
Jobs with Bonds - Not the best Bond
Business Process Management (BPM) technology
India beckon Returnees
VoIP
Unbound Compute for Enterprise Java
Indian job market
Phishing - Online fraud
Artificial Hygiene
Radio frequency identification (RFID)
Gartner's 2005 predictions for Asia-Pacific
Mobile gaming Boom
Wireless local area network
Internet security and Hacking
Optical networking
Outsourcing: A global Phenomenon
Emerging Grid computing
Using Linux in Embedded Systems
Windows XP Service Pack 2
IT outsourcing results in net US job growth
Encore for i-flex solutions
Aviva makes IT investment in efficiency
RIL announced unaudited results for the nine months
Riverstone Networks to deliver advanced Ethernet business services
Hughes Software Systems showcases Triple Play Capability
SAP Advances CRM Market Share in Asia-Pacific
AMD's new bag of chips
SARS gives India IT a cold
Intel moves inside out with Centrino
It's got under my skin
IT czars say business as usual
DNA Outside the Gene
BOT deals on the rise in outsourcing market
Ahoy, Space Ahead!
A Tale of Two Protocols
NAScent Leader: Storage Networking
Is Small the next Big Thing
Zero tolerance for downtime
VC Tree is still Green
Innovation @ the speed of thought
Silicon Valley's jobless rate 7.9 per cent
Beefing up Product Development
Unwiring the Enterprise: Wireless Lans
How is India Inc Surviving?
Bullish run for India chip industry
Next networking evolution
Indian handhelds come of age with Kaii
Digital Dividend for farmers
No full stops in IT
Flexed muscles do not mean war
Where is the job market heading?
Offshore projects help companies buck downtrend
Annual performance review
Fingertip Computing: Smart world of web services
Diary of a Start-Up
Sinha fails to walk the talk
Return of the Native
How VCs suck life out of a company
High volumes, low margins is IT's new reality
Performance on par: Infosys Q3 results
2001: Bitter-sweet pill
Markets, family decline Fiorina's offer
Growing power of back office boys
Vision Software
Professional clubs anchor techies
Honesty is the best downturn cure
Other India and The Road Ahead
Braving the Taliban's guns
India Inc. heaves at US' Onward India mantra

Broken promises: H-1B work contracts
Bye Uncle Sam, Europe's
here
H-1B workers feel pinch of US downturn
Pink slips make H-1B workers see red
Complete text of Budget 2001
Why Indian techies can laugh away slowdown fears?
Give your career a start-up boost
Stop b******* about the US Consulate
Why IT pros prefer US to Europe?
Home

Phishing - Online fraud

Phishing (pronounced "fishing") is the act of sending an e-mail to a user claiming to be an established, well known company, or government organization in an attempt to scam the user into divulging private information that will be used for identity theft.

The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords, credit card numbers, social security numbers, and bank account numbers, which the legitimate organization should already have.

The Web site is set up only to steal the user's information. This can also be done with the use of pop-up ads or sites that rely on mistyped URLs to fool the user into believing that they are actually viewing content by a reputable company.

Phishing is also referred to as brand spoofing or carding and is a variation on the word "fishing". The premise is that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted or fooled into biting.

"Phishing" is a hackers' term that comes from the scam's parallels with fishing, with the fake emails and website acting as the "bait", and the victims' accounts as the netted "phish". Phishing is done by spamming out authentic-looking emails that claim to come from a well-known financial or e-commerce institution such as Citibank, PayPal, e-Bay or America Online.

These emails contain different messages, but usually follow the same formula: the recipient is asked to click on a link contained within the message, taking them to what appears to be a legitimate website. In fact, the website is a clever forgery, often virtually indistinguishable from the real thing.



An increasingly complex security threat

Phishing represents one phpect of the increasingly complex and converging security threats facing businesses today. The methods used by spammers have become more sophisticated, and spam is now increasingly combined with malware and used as a tool for online fraud or theft, or to propagate malicious code.

An example of phishing by the use of malicious code by phishers is remotely installing Trojan horses on users' computers without their knowledge. The Trojans ran in the background, monitoring the users' login details when they visited certain online banking sites, and secretly passed the information on to thieves.

Another example of phishing without using a forged website - all that is needed is a Spam email which attempts to install the malicious code secretly.

Another phishing technique, involved using a secretly installed Trojan to redirect an affected user's internet browser to a phishing site, even when the legitimate URL of the online bank was typed into the address bar.

The phishing threat is increasing rapidly. Phishing is a form of internet scam in which the attackers try to trick consumers into divulging sensitive personal information. The techniques usually involve fraudulent E-mail and web sites that impersonate both legitimate E-mail and web sites. Phishing can be considered a joint threat, part of a fast-changing and increasingly complex threat environment facing networks, and can encompass Spam and various kinds of malware. However, it is a threat to businesses in its own right. Although phishing generally targets consumers, smaller businesses may be at risk, particularly where the corporate accounts are controlled by one or two people who may not have a great deal of technical knowledge.

Larger organizations are not as likely to fall victim to an email scam, but it is clearly preferable for employees to be protected from fraud attempts arriving in their inboxes via the corporate network. It is therefore important that businesses use an integrated, robust solution to defend their email gateway from spam such as phishing attacks and the many other varieties of email-borne security threat.



Phishing targets and the broad range of companies spoofed…

Although many types of Web sites such as retail and Internet Service Providers are spoofed, the major target is the financial sector. Some major institutions targeted are:

Citibank
U.S. Bank
Paypal
Visa
AOL
Nationwide
Chase
MSN
Yahoo
While spoofing or forging an E-mail's header is the primary method of deployment, social engineering is also used to gain the trust of the user. Social engineering is the act of using authentic email domains that look similar to the trusted company's domain.

The victims…

Studies show that up to 5% of computer users that have received malicious email by phishers have in part or totally submitted the requested personal information. The phisher can then use this data to commit online fraud, duplicate actual bank cards, produce fake documentation such as Social Security cards and driver's licenses, and even use the combination of this data to set up a new phishing scam using the persons identity.

We suggest these tips to help you avoid getting hooked by a phishing scam: Be suspicious of any email with urgent requests for personal financial information. Phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately.

If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don't ask for this type of information via email. If you are concerned about your account, contact the organization using a telephone number you know to be genuine, or open a new Internet browser window and type in the company's correct Web address.

Never email personal or financial information. Email is not a secure method of transmitting personal information. If you initiate an online transaction and want to provide your personal or financial information through an organization's Web site, look for indicators that the site is secure, like a lock icon in the browser's status bar or a URL for a Web site that begins "https:" (the "s" stands for "secure"). Unfortunately, no indicator is foolproof- some phishers have been able to forge security icons.

Review your credit card and bank account statements promptly to determine if there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.

Use anti-Spyware/Adware software and keep it up to date. Some phishing emails contain software that can track your activities on the Internet without your knowledge.

Use a firewall. A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It's especially important to run a firewall if you have a broadband connection. Finally, your operating system may offer free software "patches" to close holes in the system that hackers or phishers could exploit.

Be cautious about opening any attachment or downloading any files from any Email you receive, regardless of who sent them.

Keeping computers secure

The threat of Trojans being used in phishing attacks raises the possibility of a "backdoor" being opened to allow attackers access to the affected computer or network. To combat this, installing a personal firewall will provide some measure of protection.

Also keeping operating systems up to date with the latest security patches is also important in countering some of the phishing tricks already described, such as disguising headers and URLs. However, firewalls and patches will not stop users entering their details onto a forged site if they have been duped, and will not protect against the discovery by phishers of any further vulnerabilities in the future.

Using sender-authentication technologies may also help reduce the effect of phishing attacks. One such method is Sender Policy Framework (SPF). Under SPF, organizations publish lists of servers, which are allowed to send emails on their behalf. Any email, which claims to come from an organization but does not originate from a server on its "approved" list can therefore be rejected.

While SPF and other sender authentication technologies are fairly new, they have the potential to make phishing far more difficult since - in theory at least - phishers will only be able to send their spams from "unapproved" domains. The challenge with authentication alone is that while a recipient may be able to verify that a sender's address is not spoofed, the recipient also needs to know if they actually trust messages from that domain, and that it is not, for example, used by a known spammer.

Resources: Sophos

Email this article | Respond to this article

---------------------------------------------------------------------------------------------------------






India Jobs | Immigration News | Career Resources
H-1B Resources | Weekly FAQs | Workplace Issues & Trends | Articles
Ask the Head Hunters | Tests Online | Home

About us | Advertise | Testimonials