I recently received an email from my bank, notifying me that they were upgrading their security systems, and that my account information needed to be updated. The email included a convenient link which took me directly to my bank’s website.
No problem, I thought, so I did my duty, and visited the website. After entering my username and password, another web page appeared, where I also entered and verified my address and Social Security number. The website thanked me, and I went about my day, pleased by the fact that I had helped my bank to improve its security.
Pleased, that is, until I got my next bank statement. I was broke. Somebody had cleaned me out. The website I had visited was a fake. Multiple credit card accounts had also been opened in my name, and thousands of dollars charged by someone I had never met. I was in big trouble.
Actually, these things never happened to me. They have, however, happened to millions of people, who eventually reported that their personal information was used to make unauthorized transactions, open accounts, and commit other types of identity theft. They were victims of the Internet scam known as phishing.
First used in the mid 1990’s to describe tricking Internet users to reveal their passwords for dial-up service, the term “phishing” comes from the analogy that Internet scammers are using email lures to “fish” for passwords and financial data from the sea of Internet users.
The basics of fighting phishing scams are simple: don’t enter personal information on websites found in email links, and, when in doubt, confirm website information with a simple phone call. However, realizing that most Internet service providers and antivirus companies can’t really provide much “click it and forget it” protection, savvy Internet consumers are now beginning to take security into their own hands, and fight back.
The root of the problem lies in the “single-factor” username and password authentication method often used to complete online transactions. Once a bad guy has that simple information, the game is over.
Groups such as the FDIC and other banking agencies recognize this problem, and have rolled out requirements that financial institutions use “two-factor authentication.” These are easy to use protections going beyond simple username/password protections. Only the most lackadaisical of institutions have yet to offer two-factor authentication.
Ask your bank whether or not they provide this type of vital protection and how it works.
To take an even more active role in the anti-phishing fight, and help bust fake websites, report online phishing scams to the Anti-Phishing Working Group (antiphishing.org). One of the more interesting tactics I’ve seen is to keep the scammers chasing their tails by entering fake account numbers onto their fake phishing websites. That approach makes me smile.