Listen to the Computerworld TechCast: Phishing
In Shakespeare's Othello Iago says: "But he that filches from me my good name/Robs me of that which not enriches him/And makes me poor indeed." Unfortunately, technology and our ever-more-connected society now contradict the first assertion of that statement, because today, stealing another's good name can enrich the thief considerably.
Identity theft is the name of the game. If someone can get vital authentication information, that person may be able to access another's bank accounts, charge accounts or credit information. In 1998, Congress passed the Identity Theft and Assumption Deterrence Act, which made identity theft a federal crime subject to as many as 15 years in prison. Still, identity theft flourishes, and one easy and increasingly popular way of capturing personal data is called phishing.
Phishing isn't really new -- it's a type of scam that has been around for years and in fact predates computers. Malicious crackers did it over the phone for years and called it social engineering. What is new is its contemporary delivery vehicle -- spam and faked Web pages.
Phishing (sometimes called carding or brand spoofing) uses e-mail messages that purport to come from legitimate businesses that one might have dealings with -- banks such as Citibank; online organizations such as eBay and PayPal; Internet service providers such as AOL, MSN, Yahoo and EarthLink; online retailers such as Best Buy; and insurance agencies. The messages may look quite authentic, featuring corporate logos and formats similar to the ones used for legitimate messages. Typically, they ask for verification of certain information, such as account numbers and passwords, allegedly for auditing purposes. And because these e-mails look so official, up to 20% of unsuspecting recipients may respond to them, resulting in financial losses, identity theft and other fraudulent activity against them.
The Phishing Lure
Here's an example of how phishing works. On Nov. 17, 2003, many eBay Inc. customers received e-mail notifications that their accounts had been compromised and were being restricted. In the message was a hyperlink to what appeared to be an eBay Web page where they could re-register. The top of the page looked just like eBay's home page and incorporated all the eBay internal links. To re-register, the customers were told, they had to provide credit card data, ATM personal identification numbers, Social Security number, date of birth and their mother's maiden name. The problem was, eBay hadn't sent the original e-mail, and the Web page didn't belong to eBay -- it was a prime example of phishing.
In September 2003, the Federal Trade Commission reported that 9.9 million U.S. residents have been victims of identify theft during the past year, costing businesses and financial institutions $48 billion and consumers $5 billion in out-of-pocket expenses.
In an online interview in July with The Washington Post, J. Howard Beales, director of the FTC's Bureau of Consumer Protection, said ID theft is the No. 1 complaint his organization receives, accounting for 43% of calls.
According to the Anti-Phishing Working Group, an industry organization started by Redwood City, Calif.-based Tumbleweed Communications Corp., most major banks in the U.S., the U.K. and Australia have been misrepresented to customers during phishing attacks.
Cutting the Line
Even before phishing became so prevalent, legitimate businesses and financial institutions would hardly ever ask for personal information via e-mail. If you receive such a request, call the organization and ask if it's legitimate or check its legitimate Web site.
Look for misspellings and bad grammar. While an occasional typo can slip by any organization, more than one is a tip-off to beware.
If the e-mail refers you to a Web site, look carefully at the URL. It's easy to disguise a link to a site. Beware of the @ symbol in a URL. Most browsers will ignore all characters preceding the @ symbol, so this Web address -- http://firstname.lastname@example.org -- may look to the unsuspecting user like a page of Respected Company's site. But it actually takes visitors to thisisascam.com. The longer the URL, the easier it is to conceal the true destination address. Other ways to disguise URLs include substituting similar-looking characters, so that paypal.com could be (and has been) spoofed as paypaI.com or paypa1.com. Similarly, a zero can be substituted for the letter O within a URL.
Kay is a Computerworld contributing writer in Worcester, Mass. Contact him at email@example.com
See additional Computerworld QuickStudies
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts