I recently received an email from my bank, notifying me that they were upgrading their security systems, and that my account information needed to be updated. The email included a convenient link which took me directly to my bank’s website. No problem, I thought, so I did my duty, and visited the website. After entering my username and password, another web page appeared, where I also entered and verified my address and Social Security number. The website thanked me, and I went about my day, pleased by the fact that I had helped my bank to improve its security.
Pleased, that is, until I got my next bank statement. I was broke. Somebody had cleaned me out. The website I had visited was a fake. Multiple credit card accounts had also been opened in my name, and thousands of dollars charged by someone I had never met. I was in big trouble.
Actually, these things never happened to me. They did, however, happen in 2005 to over two million people, who reported that their personal information was used to make unauthorized transactions, open accounts, and commit other types of identity theft. They were victims of the Internet scam known as phishing. First used in the mid 1990’s to describe tricking Internet users to reveal their passwords for dial-up service, the term “phishing” comes from the analogy that Internet scammers are using email lures to “fish” for passwords and financial data from the sea of Internet users.
The basics of fighting phishing scams are simple: don’t enter personal information on websites found in email links, and, when in doubt, confirm website information with a simple phone call. However, realizing that most Internet service providers and antivirus companies can’t really provide much “click it and forget it” protection, savvy Internet consumers are now beginning to take security into their own hands, and fight back.
The root of the problem lies in the “single-factor” username and password authentication method currently used to complete online transactions. Once a bad guy has that simple information, the game is over. Groups such as the FDIC and other banking agencies recognize this problem, and are beginning to roll out additional, easy to use protections similar to ATM card-style authenticators for people to use at home. Ask your bank when they intend to make this type of vital protection available.
Also helpful are tools that let you check a website’s authenticity. Recommended is the Google Safe Browsing add-on for the Mozilla Firefox browser, and a tool called Spoofstick, from www.spoofstick.com. For users of Internet Explorer, check out the free Anti-Phishing filter from McAfee.
To take an even more active role in the anti-phishing fight, and help bust fake websites, report online phishing scams to the Phishing Incident Reporting and Termination squad (http://wiki.castlecops.com/PIRT). One of the newest tactics is to keep the scammers chasing their tails by entering fake account numbers onto their fake phishing websites. That approach makes me smile.