Phishing & Identity Theft
What is Phishing? - How Phishing Works - How to Tell Fake Links
What is Identity Theft? - Identity Theft Resources
Phishing — Obtaining Information by Deceit
Phishing is a new form of spam that takes advantage of both vulnerabilities in some browsers and e-mail programs combined with people's ignorance of how the Web works to perpetrate identity theft.
Looks Can Be Deceiving
The purpose of phishing is to obtain financial and personal information by deceit. The intent is to steal your on-line identity — commonly referred to as identity theft.
Identity Theft is a Long Term Problem
If you are the victim of identity theft, you can expect to fight to regain your credit rating for years — over and over again.
Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again. Interestingly, while the easy electronic data can quickly get you into trouble, financial institutions want physical (on paper) evidence that you're not responsible.
How Phishing Works
Going on a Phishing Expedition
Becoming a victim is easier than you might think. Let's have a look at the process from the perpetrator's point of view.
Remember, YOU are the intended victim of this trap.
Step One: Create a Fake Website
The first step is to set up a look-alike site that closely resembles a site that your victims are already using or could be using. The company's logo and other trademarked images are used to convey authenticity.
This could be a bank (most have been targeted), e-Bay, PayPal or any site where you conduct business using a credit card or by entering a user name and password.
Step Two: Send Out an E-mail
Next, an e-mail message (see the sample on the right) is sent to thousands of potential victims (like you) indicating that there is a problem with their account, or that their account will be closed unless they go to the Website and re-enter personal information, including their user name and password (or bank PIN).
However, this message is not from who you think. The sample show above to the right is a real message sent to Islandet.com customers. (Islandnet.com, like most legitimate businesses, will never ask for this information.) See a look at part of the headers from this example message (the blurring is intentional). The message obviously didn't come from "Islandnet.com" as was indicated in the message.
One of the dangers of "enhanced" HTML e-mail is that stuff can be hidden and you have to know how to look for it.
Have a look at the Firefox Security Video for a graphic display the sort of messages involved and how a more secure browser (like Firefox) can help to avoid this danger.
Step Three: Collect the Information
The victim (you) clicks on the link and finds themselves on what they believe to be the correct site (remember, the perpetrator has created the site to look like the original), so they enter their user name or e-mail address and password.
Of course, this information is not going where you think it is. It is being given to thieves.
Step Four: Assume Your Identity
Taking your electronic identity (which you've just provided to them on the phishing site), the thieves go to the real site (such as your bank) and enter the site.
The information obtained in this manner is then used to either obtain funds from your account or to set up credit in your name.
How to Tell Fake Links
Your Ignorance is Your Downfall
One of the weaknesses that allow phishing and other identity theft practices to succeed is that most of the victims are using technology that they don't understand and are unwilling to learn the risks or change their habits to reduce those risks.
They use passwords that are easily guessed and often repeated everywhere. They use outdated and vulnerable software like Outlook Express and Internet Explorer rather than learn to use newer software with more built-in safeguards.
Configuring Your Software to Protect You
Whatever choices you make with your software, you'll want to take advantage of some features that are often hidden "to make it look simpler" (they don't have to pay to clean up that virus!):
- Enable the status bar on your browser and other software. (Click the view menu and look under toolbars).
- Use stronger passwords. There are online complex password generators as well as software to help remember more complex passwords.
- Learn how to view the headers in an e-mail message, what they contain and the signs of a risky message.
- Ensure your antivirus and other security software is current and updated.
If you need help determining this, contact someone knowledgeable. Remember, you're putting your trust in this person.
Where Does That Link Go?
Links Have Two Components
Hyperinks on a website (and in an e-mail) have at least two components:
- The hidden encoded address (or link where you are being sent); and
- The text that you see .
Only the hyperlink itself (the hidden part) determines where the viewer is going to go. Just as placing a Mercedes license holder doesn't make your Ford into a Mercedes, a misleading link description doesn't change it's destination.
Using the Status Bar
Remember I told you that the status bar was a valuable tool? If you hover over the link in a website or e-mail message and look at the status bar at the bottom of the message, you'll see where the hyperlink is actually sending you.
Not All Links are What they Appear to Be
Take a look at the following link and then see where it leads you (a new window opens):
If you hover over the link and look in the status bar you can tell without visiting the link's destination (strongly recommended when dealing with unknown sites and e-mails).
Just because the linked text says it is pointing towards "www.mybank.com" doesn't mean that is the real hyperlink.
Learning More of the Mechanics
If you are interested in the mechanics of this process, have a look at Cut 'N Paste HTML Editing. It explains simple HTML and demonstrates how an HTML link works.
How Can a Fake Site Exist?
First of all, people that set these up and send out the phishing e-mails wish to remain anonymous. They are breaking the law and don't want you to be able to find them after they steal your identity.
Short-Term Links
The provided links are only up for a short time before they are removed by the financial institutions affected or by the legal authorities.
Forged links often point to a site in an educational institution where passwords and access are easy to come by. By their very nature, universities house a lot of smart and curious people. Smart as they are, too many don't view the issue of security as their problem. Because of a few people's lax attitudes, many will suffer significant financial setbacks.
What is Identity Theft?
Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate you online.
Identity theft is, unfortunately, a rapidly growing crime.
It Used to Be Harder
Obtaining personal information is much easier than it used to be. At one time you had to go to your bank, speak to a real person who would then check a card with your signature and ensure that you were who you said you were before releasing funds or a providing new credit card.
Information is Too Easily Accessed
These days credit card applications appear unsolicited in your mailbox and are easily available online. Verification depends upon electronic data rather than hard copies (original documents in the teller's hand).
Passwords — Your Electronic Signature
Many people using this technology don't really understand it. They worry that they'll forget a password, so they make it simple and use the same one over and over again. Your bank PIN is only four numbers (not very many permutations are possible, so it is relatively easy to guess). Learn more about using effective passwords.
Lack of Knowledge is Your Undoing
Folks don't really understand the risks of using an obsolete e-mail program like Outlook Express (targeted by spammers and phishers because it is so common and doesn't contain sufficient protection for the user — the electronic equivalent of a skeleton key). They just want it easy to use.
Just as seatbelts, car alarms and ignition keys are inconvenient, Internet security is too. But they also share the fact that they provide protection otherwise unavailable.
Protect Your Identity
Everyone is Gathering Information
Everyone is collecting information about you. They want all the tools at their disposal to get you to buy their products and services. If they can get your e-mail address, they can send their advertising right to your inbox. If they know your marital status and how many children you have they can identify potential markets.
See how to opt out of being placed in these lists and well as how to get off these lists if you didn't ask to be put on them in the first place.
Don't Give Away Unnecessary Information
Do not release the following personal information, since it is your identity when you conduct business on-line:
- Social Insurance/Social Security Number
- Mother's maiden name
- Bank PINs
- Passwords (especially when combined with user names)
Be careful about releasing billing addresses and employment information as well. While the successful completion of many credit card transactions requires that the shipping address match the credit card's billing address, this information is not necessary for other transactions.
Identity Theft Resources
More information about identity theft and how to prevent it is found on these sites:
- Identity Theft Resource Center.
- ID Theft, Privacy, & Security is advice from the U.S. Federal Trade Commission.
Abusing Transfer of Trust
The successful phishing scheme depends upon your trust for your financial institution being carried over into trust in the e-mail and the Website that is fraudulently sent to you.
The Internet Can Be Exploited
Browsers and enhanced (HTML) e-mail messages can be exploited for this purpose. Unless you understand the language (markup code) you are unlikely to detect this deceitful practice.
Preventing Successful Phishing
There are a number of things that you can use to avoid being the victim of this type of attack:
- Be wary of any threats to rapidly close existing accounts if you do not re-submit billing and other personal information.
- Do not use public computers for conducting financial transactions. Your personal information can be retained by the browser's cache for later retrieval by anyone else with access to that computer.
- Always use a familiar telephone number or Website address to deal with your financial institution. Do not rely on information e-mailed to you or obtained on another site.
- If you have been a victim, contact the police and file a report.
Use a Safer Browser
Your choice of web browser can make a difference when you want to protect yourself online. Whichever browser you choose, the most recent will usually have improved security features and/or have known security issues patched.
Internet Explorer, which is tightly integrated into Windows, is not recommended for regular browsing. While convenient, this means that any security issue in any Microsoft product puts your browser at risk.
Firefox Recommended
Firefox is a much safer browser to use. As an independent program it is less vulnerable to cross-program security issues while still able to perform the intended functions and call to outside featurs like e-mail programs.
Have a look at some of the built-in security features of Firefox:
- Firefox Security Video showcases the security features contained in recent Firefox versions (3.6 and later).
- Choosing a Web Browser: Security — why choosing the right browser matters.
More About Phishing
The following sites deal more with the issue of phishing.
- Anti-Phishing Working Group on preventing phishing fraud.
- Securities-Fraud.org on preventing phishing fraud.
- Citibank Phishing Email is an example of how phishing works.
- Secunia Research has vulnerability management tools for consumers and corporations.
More About Related Issues
Protecting Your Online Identity
The following related pages offer more information about protecting your online identity:
- Passwords and Encryption — Protecting Your Electronic Signature
- Avoiding Spam — Unsolicited E-mails and Mailing Lists
- Proper E-mail Address Etiquette — Using To:, CC: & BCC: Correctly
Securing Your Computer
The following related pages offer more information about securing your computer:
- Security Basics — Preventing Unauthorized Access
- Firewalls — Your First Line of Defense
- ZoneAlarm Security — Recommended Firewall Products
- Anti-Virus Protection — Current Alerts, Strategies, Hoaxes & Software
- Your Privacy At Risk — Spyware Detection & Removal
- Passwords and Encryption — Protecting Your Electronic Signature
- Web Security — Vulnerabilities in Internet Software
- Windows Security — Vulnerabilities in Windows
www.RussHarvey.bc.ca/resources/identitytheft.html
Updated: August 17, 2010
