Imagine that you receive a letter from your Bank inviting you to urgently visit the local branch, due to a problem with your account! Someone appears to have accessed your funds – you’re needed right away.
Leaving work, you race down to the bank, and find a fellow sitting behind the counter.
“Good Afternoon, I need to get your account information – username, password – otherwise I’ll need to freeze your account. We need to make sure, for your own safety that you are who you say you are.”
Sighing deeply – that was a close shave – you pass him your details, and go back to business. As you leave, he grins evilly, takes off his uniform and packs up his fake branch. Maybe he whistles a little as he logs onto your account at the real branch and empties your account.
That couldn’t happen, right? The expense! The audacity! Finding criminals with customer service skills who look good in uniforms!
On the Internet it costs about $10 per month to pull this scam ($5 if you shop around, and FREE! if you hack someone else’s server) – and an hour or two to set up. It’s called Phishing, and the criminals are getting better and better at it.
Phishing is a problem. Your bank wants to send you email because it’s cheap. They want you to use internet banking because that’s cheap as well. If everyone just used internet banking, your fees could go straight to executive bonuses, where they’re needed most instead of expenses like staff or air conditioning bills at your local branch.
Unfortunately, without careful inspection it is difficult to tell the difference between a legitimate bank email and a fake one. Often the first you would know would be when you log on to internet banking and see all your money was mysteriously transferred to Moldova.
My bank has a banking guarantee. It’s great. I won’t lose my money unless I somehow “contribute to the loss”… I wonder if that means not properly securing my computer, or giving a criminal my password. I don’t want to find out.
Criminals are getting more and more devious. Who’d have thought an eBay account had any value? Well, if you have lots of “AAAAAAAA+++ Super!” ratings, a criminal can fleece quite a few punters out of their money when YOU sell them a laptop that doesn’t exist – and when they complain it’s your rating, and you who has to deal with the police when they ask you to “please explain”. Just because you don’t see the scam, it doesn’t mean someone hasn’t thought of it.
What can you do? Since this is being posted at a security forum, most people know the golden rule already – don’t go and click on random links in emails. You bank won’t send them. Even if your bank does send them, don’t click on the links. Go to the web site by typing in the URL.
Your bank will never ask you for your password for online banking. Ever. Not for a security update, not to verify your identity and not to do anything else.
What to do? There are technology solutions that you can use to help you (and depressingly, even some of these are snake oil). Technology only helps to solve part of the problem – the rest is up to you.
Think carefully about what you receive in email, and what you do online. If something looks too good to be true – it is.
Nobody in Nigeria is going to let you have 10% of $20 MILLION UPPERCASED US DOLLARS because of a dead relative, corruption, assassination or any other reason.
Your ISP is not likely to send you a program to run, unsolicited to fix a spam problem you didn’t know you had. However, criminals are likely to send you a spam problem, masquerading as a fix. Email addresses can be faked (which is why when you reply with a tirade of abuse to a spammer, it usually bounces)
Stop, think, ask a friend – or call your ISP. Post in a forum such as Castlecops and ask for advice. Don’t be a victim of Phishing or online scams.