You may be a Victim of Phishing (Part 2)
How to protect yourself from Phishing
- Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Legitimate companies don't ask for this information via email or text. The messages may appear to be from organizations you do business with – banks, for example. They might threaten to close your account or take other action if you don’t respond. Don’t reply, and don’t click on links or call phone numbers provided in the message, either. These messages direct you to spoof sites – sites that look real but whose purpose is to steal your information so a scammer can run up bills or commit crimes in your name.
- Area codes can mislead, too. Some scammers ask you to call a phone number to update your account or access a "refund." But a local area code doesn’t guarantee that the caller is local.
- If you’re concerned about your account or need to reach an organization you do business with, call the number on your financial statements or on the back of your credit card.
- Your bank will never send you emails asking you to divulge any confidential or personal information. You should report such emails to your bank and then discard them. You should never reveal your PIN or OTP to anyone. No bank should ever ask you for your PIN or OTP for whatever reasons.
- Do not click on any link to log on to bank websites or open attachments in emails purportedly sent to you by your bank, credit card company or service provider.
- Always enter the full URL or domain name of your bank or credit card company into your browser address bar. If you are unsure of their web address, contact them for the information.
- Do check your bank's website for more information on Internet security. In the event that you think you have become a victim of phishing scam, contact your bank immediately.
- Avoid performing online banking using computers in public areas such as cybercafés.
- Remember to log off each time you finished your online banking activities.
- Select passwords that are difficult to guess and change your passwords regularly.
- Don’t click on links within emails that ask for your personal information. Fraudsters use these links to lure people to phony Web sites that looks just like the real sites of the company, organization, or agency they’re impersonating. If you follow the instructions and enter your personal information on the Web site, you’ll deliver it directly into the hands of identity thieves. To check whether the message is really from the company or agency, call it directly or go to its Web site (use a search engine to find it).
- Beware of “pharming.” In this latest version of online ID theft, a virus or malicious program is secretly planted in your computer and hijacks your Web browser. When you type in the address of a legitimate Web site, you’re taken to a fake copy of the site without realizing it. Any personal information you provide at the phony site, such as your password or account number, can be stolen and fraudulently used.
- Never enter your personal information in a pop-up screen. Sometimes a phisher will direct you to a real company’s, organization’s, or agency’s Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.
- Protect your computer with spam filters, anti-virus and anti-spyware software, and a firewall, and keep them up to date. A spam filter can help reduce the number of phishing emails you get. Anti-virus software, which scans incoming messages for troublesome files, and anti-spyware software, which looks for programs that have been installed on your computer and track your online activities without your knowledge, can protect you against pharming and other techniques that phishers use. Firewalls prevent hackers and unauthorized communications from entering your computer – which is especially important if you have a broadband connection because your computer is open to the Internet whenever it’s turned on. Look for programs that offer automatic updates and take advantage of free patches that manufacturers offer to fix newly discovered problems. Go to OnGuardOnline.gov and StaySafeOnline.org to learn more about how to keep your computer secure.
- Only open email attachments if you’re expecting them and know what they contain. Even if the messages look like they came from people you know, they could be from scammers and contain programs that will steal your personal information.
- Know that phishing can also happen by phone. You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information. If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information. Legitimate credit card issuers and other companies may contact you if there is an unusual pattern indicating that someone else might be using one of your accounts. But usually they only ask if you made particular transactions; they don’t request your account number or other personal information. Law enforcement agencies might also contact you if you’ve been the victim of fraud. To be on the safe side, ask for the person’s name, the name of the agency or company, the telephone number, and the address. Get the main number from the phone book, the Internet, or directory assistance, then call to find out if the person is legitimate.
- Job seekers should also be careful. Some phishers target people who list themselves on job search sites. Pretending to be potential employers, they ask for your social security number and other personal information. Follow the advice above and verify the person’s identity before providing any personal information.
- Be suspicious if someone contacts you unexpectedly and asks for your personal information. It’s hard to tell whether something is legitimate by looking at an email or a Web site, or talking to someone on the phone. But if you’re contacted out of the blue and asked for your personal information, it’s a warning sign that something is “phishy.” Legitimate companies and agencies don’t operate that way.
- Phishing correspondences will usually ask you for sensitive, personal information that the organization should already have. For example, if your bank sends you an email asking you to provide them with your bank account and routing number, it may be a phishing scam
- Review suspicious emails and text messages for spelling and punctuation errors. In most cases, phishing scams are not proofread before they are sent and contain multiple errors. If the email or text message is coming from a major business or corporation, it is unlikely that an editor will publish spelling and punctuation errors without review.
- Examine the website links and logos in suspicious emails you receive. In some cases, links and logos are masked to look legitimate but may take you to a different website or cause you to download malicious files
- Refrain from clicking or visiting any unfamiliar links that end with an "exe" extension. "Exe" links may cause you to download malicious software, spyware, or other programs that can steal your personal information.
- Look at the address bar of the website you are visiting to determine if the site begins with "[[https” https”] [https” https”]] rather than "[http.” http.”] The "[[https” https”] [https” https”]] part of the web address indicates that the website is secure.
- A yellow padlock icon displayed toward the bottom of your web session can also help you determine a website's security. Double-click on the padlock icon to verify that a security certificate displays on the screen, as some websites will display just a graphic of a padlock to be malicious.
- Review your bank statements regularly. This will allow you to see if any unauthorized charges or purchases have been made with your account, indicating that you may be the victim of a phishing scam.
- Report phishing, whether you’re a victim or not, tell the company or agency that the phisher was impersonating.
Avoid Becoming a Victim!
- Use dedicated systems for payment requests and approval processes. Disable email access on any system involved with payment processing. If an attacker cannot compromise the systems in payment processing, he will have a harder time obtaining payment usernames and passwords, and a harder time actually requesting/approving a transfer.
- Use a strong authentication mechanism on all payment processing systems. This would include replacing or augmenting username/password combinations with a hardware token and PIN, or with biometrics such as a fingerprint reader. An attacker will be unable to copy and reuse strong authentication such as a token or biometrics.
- Block Internet access for systems involved in payment processing. If the system genuinely has no Internet access, malware would be unable to talk back to its controlling systems and attacker.
- Disable the use of USB flash drives in payment processing systems. In some circles USB flash drives are often referred to as “malware delivery devices.” Disabling USB flash drives removes one more potential avenue for infection.
- Use tools available in your email client. Outlook, for instance, has the ability to help filter potentially harmful links. In Outlook, go to Tools/Options/Preferences/Junk E-mail/Options, and check “Disable links and other functionality in phishing messages” and “Warn me about suspicious domain names in e-mail addresses.” These are not perfect solutions but they can help.
- Be diligent in your use of anti-virus and anti-malware software, including regular updates and scans. Most of the malware used as part of a phishing attack is not detected by standard anti-virus software, but some of it is. Some malware indicators may not be changed before an anti-virus update is available, and sometimes older versions of malware are distributed. Additionally, anti-virus software can help identify secondary infections that may be related to an attack.
- Use reputation-based website, IP address, and URL filtering to help ensure that any systems accessed from within the company are not considered “bad” sites. You can extend this further by allowing only “white-list” access – access to addresses that have specifically been recognized as “good” sites (note that this has the potential to inhibit some Internet capability).
- Enforce time-of-day login and payment processing. Many fraudulent transactions occur after normal working hours. For instance, a series of large transfers that completed at 7:00PM Friday evening might be functionally ignored until staff return and see abnormal activities Monday morning.
- Limit access to payment processing systems from mobile devices, laptops, and systems based in home offices. These distributed systems are typically more vulnerable to threats.
- Do not allow access to any internal organization system, especially payment processing systems, from a personally owned home computer. There is simply no way the organization can enforce proper control over such a system.
- Conduct employee security awareness sessions to instruct employees on how to identify phishing emails and avoid falling victim to them. Any reduction in exposure slows compromise and increases your organization’s capability to identify an escalating threat.
- Explicitly communicate to employees, partners and clients that you will never solicit account information via email, or send a link to update account information.
If you are a Victim
If you have fallen victim to a phishing scam and sent out your details to the phishers, what should you do?
- Act Immediately!
- Change Passwords!
- Close Accounts! Depending on how much information you revealed, you should log into your relevant accounts and change your passwords. If possible, also change your usernames. This will stop the fraudsters accessing your accounts with the information you sent them.
- Contact your banks and financial institutions (Note: having a list of your card numbers and the bank's toll free numbers on hand is key, make them aware of the situation in case of problems. They should also give you further help and advice. If needed, you may actually want to close accounts that have been compromised.
- Report to the relevant Authorities!
Federal Trade Commission (FTC)
MoneySENSE- A National Financial Education Programme for Singapore
The Washington Post
Global Chinese Phishing sites report 2nd Half 2012
Financial Cyber Threats in 2013. Part 1: Phishing
Global Phishing Survey: Global Phishing Survey 2H2013: Trends and Domain Name Use. http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf
The Economic Times
THE EVOLUTION OF PHISHING ATTACKS: 2011-2013- Kaspersky Labs
University of Florida: Solutions for your life
How To Understand Phishing
Copyright: <a href='http://www.123rf.com/profile_faithie'>faithie / 123RF Stock Photo</a>
Copyright: <a href='http://www.123rf.com/profile_3quarks'>3quarks / 123RF Stock Photo</a>
Copyright: <a href='http://www.123rf.com/profile_ijdema'>ijdema / 123RF Stock Photo</a>