Don't Bite if You're Phished

Berglund Authority Level 4


by Kevin Kawamoto <kawamoto@u.washington.edu>


Index:

.01 Phishing (sounds like “Fishing”)
.02 Banks Respond
.03 Teaching Kids and Newbies about Phishing
.04 Practical Tips/More Information
.05 Conclusion
References

.01 Phishing (sounds like “Fishing”) (return to index)

Most people reading this column will already know what “phishing” is and, more than likely, may already have received one or more messages in their e-mail inbox that was part of a phishing scam. That message probably appeared to be from a legitimate business or organization that needed to collect personal information from the recipient of the message in order to normalize that person’s account.

Here’s how it goes. The following example is part of a real message supposedly sent from a real bank (but not really) under the subject line, “Confirm Your Identity Information.” The message begins like this: “We are performing maintenance, which may interfere with access to your Online Services.  Due to these technical updates your online account has been flagged and we must confirm that you are the rightful owner of the account. To Confirm Your Identity click the link below [hypertext link provided in the message]. Please make sure you do this in a timely fashion as we look forward to bringing you updates regularly.”

This is one of a number of phishing messages appearing in people’s e-mail inboxes. The messages appear legitimate (at first glance) and even contain language warning the receiver to be careful about online security: “[Bank’s name] and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail.” Sometimes a threat is also included, to the effect of “if you don’t respond to this message within [a certain amount of time] your account privileges will be suspended.” Recipients may also be asked to download software onto their personal computers.

When you click on the hypertext link provided in the e-mail message, the Web site that pops up looks professional, perhaps even identical to a real company’s official Web site right down to the official logo. The problem is, the Web site is fake.

Of course, most cyber savvy people know this is a scam – a deceitful attempt to get an unsuspecting person to surrender personal information that could be used by a con-artist to access that person’s bank account or other private account. But the messages often look so convincing that some people are fooled into thinking they are real. Of the tens of thousands of messages that get sent out, the con-artists behind the scam hope that they’ll get at least some “bites” in return for their efforts.

.02 Banks Respond (return to index)

By now banks are well aware of this scam and have issued warnings to their customers about transmitting personal, confidential information online. Washington Mutual, for example, has explained to its customers through mailings and its Web site what phishing is and why customers need to be careful. On its Web site, Washington Mutual explains: “All your online banking should be done through our secure Web site, and we will not send you e-mail instructions to download any banking software to your computer. Do not install software downloads directly from e-mail messages, or from companies or Web sites you do not recognize. When in doubt, contact the company directly or call our customer service number…” [1].

Other banks have issued official warnings and messages about how to recognize and avoid being the victim of phishing. Most of this information can be found on their Web sites. Key Bank, whose name has been used in phishing scams, tells customers via its Web site that the bank “will never request personal information, including account numbers, social security number, user names or passwords in e-mail messages or pop-up windows” [2].

Financial institutions are particularly sensitive about online scams because these activities have the potential to erode the public’s trust in secure online financial transactions. But financial institutions are not the only ones touched and tainted by online scams. eBay, the online auction site, has had its customers targeted by phishing. eBay offers an online tutorial on how to spot “spoof (fake) emails.”

“While there is no single way to recognize whether you have received a Spoof email - the senders are especially deceptive - there are a few signs that indicate the email may not be legitimate,” says the eBay Web page. The company provides some tips on how to spot a fake Web site, such as scrutinizing the URLs used. The full tutorial can be accessed here: http://pages.ebay.com/education/spooftutorial/.

.03 Teaching Kids and Newbies about Phishing (return to index)

Teaching children and adults who are not aware of the many scams they can encounter on the Internet is an important component of consumer protection in the 21st century. Just as teachers have for many years taught children to be wary of targeted advertising and to know their rights as consumers, they must now educate new generations – young and old – of Internet users about the many ways dishonest people may try to get information about them in an attempt to exploit them or their family members.

According to an article in the Seattle Times, “Phishing is one element in a vast criminal enterprise that can lead to identity theft and, ultimately, fraud involving checking accounts, credit cards and even home mortgages. Victims tell stories of painstaking months spent correcting damaged credit reports. Financial institutions, as well as retailers and e-tailers, have lost money to new and constantly morphing forms of electronic identity theft.” [3]

One of the best ways to help people avoid being exploited online is to educate them about the dangers and how to avoid them. Phishing is not the only danger to avoid, but it is one that can be combated effectively with knowledge and sensible Internet use behavior. Educating people about phishing is part of a general caveat to Internet users about being critical, cautious and skeptical about transmitting any kind of personal or confidential information online – not just financial information but anything that is considered private.

.04 Practical Tips/More Information (return to index)

The American Bankers Association has provided the following list of Consumer Tips on its Web site to help people avoid being a victim of a phishing expedition. This is a good place to start in helping to educate the less “scam savvy” among us become more aware of how to smell a “phish” when one lands in their inbox!

  • Never give out your personal financial information in response to an unsolicited phone call, fax or email, no matter how official it may seem.
  • Do not respond to email that may warn of dire consequences unless you validate your information immediately.  Contact the company to confirm the email's validity using a telephone number or Web address you know to be genuine.
  • Check your credit card and bank account statements regularly and look for unauthorized transactions, even small ones.  Some thieves hope small transactions will go unnoticed.  Report discrepancies immediately.
  • When submitting financial information to a Web site, look for the padlock or key icon at the bottom of your browser, and make sure the Internet address begins with "https." This signals that your information is secure during transmission.
  • Report suspicious activity to the Internet Crime Complaint Center (http://www.ic3.gov/), a partnership between the FBI and the National White Collar Crime Center.
  • If you have responded to an email, contact your bank immediately so they can protect your account and your identity.  For information on identity theft, visit  ABA's Consumer Connection (http://www.aba.com/Consumer+Connection/CNC_contips_idtheft.htm).
  • For more information on phishing, visit the Federal Deposit Insurance Corporation (http://www.fdic.gov/consumers/consumer/news/cnwin0304/phishing.html), Federal Trade Commission (http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm), the Anti-Phishing Working Group (http://www.antiphishing.org/index.html), the National Consumers League (http://www.phishinginfo.org/), or the OCC Consumer Protection News (http://www.occ.gov/Consumer/phishing.htm).

Source: American Bankers Association [4]

.05 Conclusion (return to index)

The longer cyberspace and real life co-mingle, the more they resemble each other. In real life, people have always had to beware of bandits, swindlers and con-men. These exploitive forces now have new tools with which to reach the unwary and the gullible. Just as we teach children and older adults to be wary of people in cars offering treats or calling on the telephone or knocking at the door, we have to teach them to be just as suspicious of unsolicited e-mails from strangers.

The reality is that as wondrous as e-mail and the Internet are, they can also be used – in the wrong hands – as weapons of deception and exploitation. Sadly, this reality needs to be communicated as soon as people start using these technologies because at that point they’ve opened a part of themselves to a world that has – hidden in its networks – dangers that can cause real harm.

One hopes that the coalition of government, business and civic organizations working against cybercrimes such as phishing will be effective in their efforts keep innocent people from jeopardizing their private information. Educators can play a key role in enhancing these efforts by illuminating the problem, encouraging dialogue, and providing strategies for critical evaluation and prudent behavior in cyberspace.

References (return to index)

[1] Washington Mutual Bank’s Your Security Web page, http://www.wamu.com/personal/welcome/security.htm.

[2] Key Bank’s Online Security Web page, http://www.key.com/html/E-2.23.html.

[3] Melissa Allison, “Phishing: The New Face of Fraud,” Seattle Times, March 21, 2005.

[4] ABA.com, “Don’t Get Lured Into A Phishing Scam,” http://www.aba.com/Consumer+Connection/033104PHISH.htm.