5 Steps For Users To Protect Themselves !

Phishing Email Fraud

by  Grant Gross, IDG News Service PC World

 

Protect yourself by learning how to recognize the danger signs of a phishing email.


Phishing (pronounced "fishing") is the practice of deceiving unsuspecting members into providing personal financial information such as account numbers, passwords, Social Security numbers and other confidential information that they can use to access your checking account or run up bills on your credit cards. They may go so far as to create a fake Web page for your "convenience," or provide a fraudulent phone number for you to call.


It can come in the form of SPAM e-mails that appear to come from a well-known company or government agency. The email will create a sense of urgency that lure members into providing this information which may be used to steal the member's identity.


Some tips on how to spot a phishing email


Steps to Avoid Email Fraud:

" If you do not recognize the sender, delete the message without opening it.
" Be suspicious of any email asking you for personal information, requests authentication, or indicating a problem with your SDFCU (State Department Federal Credit Union) accounts.
" Forward a copy of the email to the Federal Trade Commission at SPAM@UCE.GOV and delete the email.
If you have responded or disclosed your personal information to a possible fraudulent email or website:

" File an online complaint with the Online Complaint Center at www.ic3.gov immediately.
" Notify SDFCU at 800-296-8882 or 703-706-5000 .
" IC3's mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. For law enforcement and regulatory agencies at the federal, state, local and international level, IC3 provides a central referral mechanism for complaints involving Internet related crimes.


The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

5 Steps For Users To Protect Themselves From Phishing Scams

While a lack of understanding of basic security principles and a lack of education about the proper security precautions are certainly contributing factors to the success of phishing scams as well as many malware attacks, it is difficult even for professionals sometimes to keep up with the latest attack tools and techniques.


Users simply want to use their computers, not become security gurus. So, here are five steps users can take to keep from being victimized by the phishing scam du jour.

1. Be Skeptical: It is better to err on the side of caution. Unless you are 100% sure that a particular message is legitimate, assume it is not. You should never supply your username, password, account number or any other personal or confidential information via email and you should not reply directly to the email in question.

Ed Skoudis says "If the user really suspects that an e-mail is legit, they should:

1) close their e-mail client,
2) close ALL browser windows,
3) open a brand new browser,
4) surf to the e-commerce company's site as they normally would.
If there's anything wrong with their account, there will be a message at the site when they log in. We need people to close their mail readers and browsers first, just in case an attacker sent a malicious script or pulled another fast one to direct the user to a different site."

2. Use The Old-Fashioned Way: An even safer means of verifying if an email regarding your account is legitimate or not is to simply delete the email and pick up the phone. Rather than risking that you may somehow be emailing the attacker or mis-directed to the attacker's replica web site, just call customer service and explain what the email stated to verify if there is truly a problem with your account or if this is simply a phishing scam.

3. Do Your Homework: When your bank statements or account details arrive, whether in print or through electronic means, analyze them closely. Make sure there are no transactions that you can't account for and that all of the decimals are in the right spots. If you find any problems contact the company or financial institution in question immediately to notify them.

4. Make Sure Your Computer Is A Good HOST: Your computer has a hidden system file called the Hosts file. This file can be used to hard code domain name translations and direct you to a different site. Normally if you try to visit paypal.com your computer sends the request to a DNS server which lets your computer know what the IP address of that domain name is so that your request can then be forwarded to the right server. The Hosts file supercedes DNS so by adding an entry in the Hosts file with the domain name "paypal.com" and a different IP address your computer can be redirected. Rather than being sent to the true paypal.com server your request will go to the address specified in the Hosts file. You should periodically check your Hosts file to ensure there are no such malicious entries in there. For more information about the Hosts file and how to make sure its safe you can see this article on the site for the Always Use Protection book from Dan Appleman: Bad HOSTS

5. Report Suspicious Activity: If you receive emails that are part of a phishing scam or even seem suspicious you should report them. Douglas Schweitzer says "Report suspicious e-mails to your ISP and be sure to also report them to the Federal Trade Commission (FTC) at www.ftc.gov

5 Steps For Companies To Protect Their Customers From Phishing Scams

For the most part you can't really blame the institutions that are targeted by phishing scams. The success of a phishing scam relies on their reputation as a credible and trustworthy company. It isn't through any lax security or flaw on their part that users end up falling for phishing scams.


However, in most cases the company in question will accept the responsibility for money lost by their customers. Aside from the financial aspects the phishing scams also impact customer confusion and the number of calls and emails coming in to the customer service department as well as damaging the company's otherwise stellar reputation. So, they have a vested interest in protecting their customers and their hard-earned reputations.


"Companies that are concerned about their customers being attacked with phishing scams should CLEARLY and frequently announce or publish their policy on customer communications.


My satellite service provider, for example, sends out an Email saying "We will never contact you and ask you for credit card information or account information. If there is a problem with your account you can contact us via the support number listed on our website... etc." according to Marcus Ranum.


Ed Skoudis agrees with that and went into some further detail, defining the following five steps that companies can take to protect their customers and try to ensure they are not targeted by phishing scams:

1. Never EVER EVER send unsolicited e-mail to clients asking them for their userID and password, or having them login to the site. They should have a strict policy about this.
2. Educate your users about the policy above.
3. Make it easy for users to report phishing scams, and work diligently to get phishing sites shut off. Typically, you can work with the ISP that gives the phishing website Internet connectivity.
4. Keep your web application secure. We're starting to see Cross-Site Scripting attacks used in conjunction with phishing, so make sure your XSS defenses are sound.
5. A popular attack lately is to direct the user to a legit site, and then pop a frame up on top of that site that belongs to the phisher. Prevent phishers from popping frames up on top of your legit pages to fool users, by incorporating this script at the top of every page you serve:


That wraps up this phishing expedition. Remember to follow these simple security steps and err on the side of caution and hopefully you won't be the next "phish" on the hook.

 More

 Top