What is phishing?
Phishing is a scam in which people who are interested in defrauding you of your money send emails out at random in an attempt to trick you into telling them your personal information: social security number, bank accounts, passwords and logins, and other things like this. Remember, Jefferson Credit Union will never ask you for your personal information within an email. Before you delete a suspected phishing scam email, please forward it to the Credit Union at HelpDesk@JeffersonCreditUnion.org , the Federal Trade Commission at email@example.com , and firstname.lastname@example.org .
How does phishing work?
Phishing is a type of online scam known as a social engineering tactic in computer security circles. The perpetrators of a phishing scam send you an email that “spoofs,” or mimics, an email sent to you from an online provider that you actually trust, like AOL or PayPal. The email you are sent generally alerts you to some sort of problem (the classic one being that your account has been hijacked by fraudulent means, which is a self-fulfilling statement) and asks that you click a link included on the email. This link will take you to a page that asks for your old login and password, and lets you “change” your information to a new login and password. What’s actually happening is the phishers are collecting your login and password to access your account themselves! Once they have this information, they can collect more information on you and, depending on what service you just gave them access to, clean out your bank account, hijack your email accounts, or gain control over your credit.
What should I look for?
Fortunately, phishers are not the brightest crooks around, and many of them are foreign and have a questionable understanding of the English language. The first tip-off should be an email that does not sound professional, or that has misspelled words and bad grammar. The second tip-off is that 99% of those who provide you with services online are not going to email you and ask you to click a link to solve your problem; rather, they will call you, send you a letter, or ask you to go to their website (no link included) and change your information from there. You should also look for the “invalid server certificate” message when you go to their website; if it is invalid, call in your changes, and look up the phone number somewhere other than the website that is invalid (phone book, old bills, or directory assistance).
How can I protect myself from phishers?
To protect yourself, never click on links in an email that is warning you of a problem or asking you to change your information. Even though you may not provide the information after clicking, a spoofed page that looks authentic or looks like your financial institutions website may load malicious spyware or other software onto your computer, even if you have a firewall and other protection against it. Always call in changes to your important financial accounts. For online accounts like PayPal and eBay, type in the name of the website by hand rather than using any kind of link. Links are very easily spoofed; you can see where they are really sending you by hovering your mouse over the link for a few seconds and waiting for the yellow tag window to show up.
What does the future of phishing look like?
Unfortunately, as long as people fall for the scam, phishing will survive and flourish. It is a relatively new crime, and the legislation necessary to make it illegal in the US and many states is still going through the process of becoming law. Even after it has been made illegal, there may be no recourse for those who are scammed, as many of the phishers are located in Uganda, Nigeria, Russia, or other countries where our legal process does not reach. In the US alone, scams have cost consumers over $1 billion in theft and businesses about $2 billion in lost business — and it has only been a popular scam for a little more than a year! Instead of becoming part of this growing statistic, do not bite the bait phishers dangle. Reach for a phone before clicking the link.
If you suspect that you have received a fraudulent phishing email, please notify the Internet Fraud Compliant Center (IFCC) at www.uc3.gov. The IFCC is a partnership between the Federal Bureau of Investigation, and the National White Collar Crime Center.
What is Pharming?
Pharming is an attack in which a user can be fooled into entering sensitive data such as a password or credit card number into a malicious web site that impersonates a legitimate web site.
How are they doing it?
Pharming attacks are somewhat more sophisticated and difficult to perform, and if successful contain very damaging outcomes. There are several ways to commit pharming attacks. Generally, it involves exploiting a vulnerability in the Domain Name Server software (DNS) that allows the redirection of the legitimate website traffic to another fraudulent site. There are approximately 9 million DNS servers on the Internet, which are run by companies and Internet service providers. The DNS servers act as the white pages for the Internet.
When you type in an address such as www.myfinancialinstitution.com the DNS server translates it into an IP address such as 18.104.22.168 and then forwards the traffic to the website. The vulnerability within DNS allows an attacker to spoof or hijack the traffic intended for www.myfinancialinstitution.com and routes it to the fake site. This is also known as DNS poisoning.
As with phishing attacks, the evildoer will copy the institution’s web pages so you don’t realize you are not where you intended to be. Security experts say DNS poisoning isn’t new, but due to the increased use of the Internet to conduct financial transactions, criminals are now using DNS poisoning for profit.
In addition to DNS poisoning, attackers can use static domain name spoofing, where they slightly change the actual name from www.myfinancialinstitution.com to www.myfinancialinstitution2.com, or they will change the .com to .net or some other Top Level Domain Name (TLD).
Pharmers also will submit requests for domain transfers to a domain registrar asking that the domain be switched from one registrar to another. When accepted, traffic is redirected to the illegitimate server. Failure to properly manage your domain name can lead to yet another method of hijacking a website. Domain names are leased for a fixed period of time and need be re-registered. If the name expires, any one including an evildoer can transfer ownership of the name.
Another tactic is the use of crimeware in the form of key loggers and Trojans. In these instances malicious code is installed on an unsuspecting users computer which will capture keystrokes, specifically user ID and passwords then send them to the attacker. Trojans are also used which will plant a backdoor on the computer so the attacker can commandeer the computer and use it at will to perform nefarious acts or scan files on the hard drive. This crimeware can reside on breached legitimate websites and is downloaded unknowingly to the victim’s computer. Malicious code for stealing passwords reached an all-time high in January of 2006 according to the Anti-Phishing Working Group.
Another pharming method which is becoming more prevalent involves an attacker sending out a worm that modifies the host file on a windows computer which will redirect legitimate requests from an online banking server to a fake one.
Pharming is becoming more sophisticated and the payload more damaging. The Internet provides a means for anonymous crime. Even if the perpetrator is caught, prosecution is difficult since many of the criminals are located in foreign countries.
What can you do?
The best way to prevent hackers from stealing your personal information is to be prepared. You should be prepared by deploying layered security consisting of prevention, detection, and response strategies. There is no one solution, no silver bullet when it comes to security; therefore, a defense in depth approach is required. Or in other words, put as many obstacles in the way of the attacker as possible. While you may not be able to ensure 100% protection, you can significantly lessen the impact from these attacks. The responsibility for preventing and mitigating attacks is a responsibility that must be shared between the organization, the customer, and the service provider.
Here are some of the steps you can take:
To achieve maximum effectiveness and efficiency, you should consider automated monitoring and intrusion detection. An example of this is Identity Monitoring from your credit card company. They will monitor your credit report for you. Companies such as American Express and Citibank have these capabilities. But even though you may use a third party for monitoring your credit, you still have the ultimate responsibility for ensuring the security of your confidential information.
More means of protection?
In addition to the security controls listed above, do not reply to emails, unsolicited phone calls, and pop-ups requesting personal information. Do not to click on a link provided in an email. Instead, type the web address directly into your internet browser. Also, think through how you communicate via email and what information you provide to anyone seeking personal information. The best policy is to never send personal information via email or website that is unsolicited. You also need to be prepared by having an incident response plan for when an incident happens, and your personal information is compromised. You must have a road map of how to handle the situation efficiently, effectively, and timely. The first step would be having procedures for notifying your financial institution and law enforcement. Again, no one is 100% safe from attack, but there are procedures you can follow to minimize your risk of becoming a victim of financial and identity theft.
The newest scam identity thieves are using is a method called Vishing. The information the perpetrators are trying to steal is the same as usual, only this time they are not using emails or look-a-like websites to collect the information. Instead, the email urges the victim to call a phone number to verify their account information. When they call, an automated voice message says, “Welcome to account verification. Please enter your 16-digit card number.” The hacker then hopes the victim will enter their debit card or credit card number. Reports of these scams make no reference to a credit union, bank, or any type of financial institution being mentioned by the automated voice.
Security experts tracking this scam and other types of vishing, short for voice phishing, say this type of fraud is truly despicable because it imitates the legitimate ways people interact with their financial institution. In some cases, the vishing does not start with an email. The perpetrator already has the victim’s card number along with other personal information, such as their phone number, and therefore does not send an email but calls the victim and asks for the valuable 3-digit security code on the back of the card. This increases the perception of legitimacy for the victim. The chance of tracing such a call is very poor since the development of Voice over Internet Protocol, or VoIP. This allows cheap and anonymous internet calling, as well as the ease with which caller ID boxes can be fooled into displaying erroneous names and numbers.
These are some recommendations to prevent your personal information from being stolen:
If you do receive an email of which you are suspicious, contact the Credit Union and the Internet Fraud Complaint Center (IFCC) at www.ic3.gov. The IFCC is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center.