Phishing & Identity Theft

What is Phishing? | Phone Scams | What is Identity Theft?

Phishing — Obtaining Information by Deceit

How Phishing Works | How to Tell Fake Links | Abusing Transfer of Trust

Protecting yourself from identity theft requires being aware of the danger signs.

Unfamiliar messages. Passwords that no longer work. These are just two of the many clues that cybercriminals have gotten a hold of your password and broken into your [emai] account.
ZoneAlarm Security Blog

Phishing is a form of spam that takes advantage of vulnerabilities in some browsers and email programs but depends even more upon people's ignorance of how the Web works to perpetrate identity theft.

Looks Can Be Deceiving

The purpose of phishing is to obtain financial and personal information by deceit. The intent is to steal your on-line identity — commonly referred to as identity theft.

There are huge personal and financial costs if you allow yourself to become a victim — $37 billion in 2010, (down from $56 billion the year before).

See ZoneAlarm's blog to learn more about identity theft:

Identity Theft is a Long-Term Problem

If you are the victim of identity theft, you can expect to fight to regain your credit rating for years — over and over again.

Victims report that it takes months or years to regain their credit rating, only to find that a new report forces them to start all over again.

While electronic data can quickly get you into trouble, financial institutions want physical (on paper) evidence that you're not responsible.

Return to top

How Phishing Works

Beware of "Computer Support" Calls

Have you received a phone call from someone saying that you have a problem with your computer? Unless you initiate the call, you have no idea who you're dealing with (even call display can be faked). Learn how to avoid identity theft.

Microsoft estimated the cost of cleaning up the aftermath of trusting these folks at $850.00. More on these sites:

 

Going on a Phishing Expedition

Becoming a victim is easier than you might think. Let's have a look at the process from the perpetrator's point of view.

Remember, YOU are the intended victim of this trap.

Step One: Create a Fake Website

If a site invites you to use your email and password to log into Yahoo!, Gmail, Windows Live, AOL or other email account, DON'T!

The first step is to set up a look-alike site that closely resembles a site that your victims are already using or could be using. The company's logo and other trademarked images are used to convey authenticity. (See the section on abusing transfer of trust.)

The image on the right was captured from a recent fake site but I've seen a similar layout right in an email (just one reason to NOT allow your email program to automatically load images).

This could be a bank (most have been targeted), Google Docs, e-Bay, PayPal or any site where you conduct business using a credit card or enter with a user name and password.

The Anatomy of an Email Scam

Step Two: Send Out an Email

Look at this sample phishing email sent to islandnet.com customers

Next, an email message (see the sample on the right) is sent to thousands of potential victims (like you) indicating that there is a problem with their account, or that their account will be closed unless they go to the website and re-enter personal information, including their user name and password (or bank PIN).

However, this message is not from who you think. The sample show above to the right is a real message sent to Islandet.com customers. (Islandnet.com, like most legitimate businesses, will never ask for this information.) See part of the headers from this example message (the blurring is intentional). The message obviously didn't come from "Islandnet.com" as was indicated in the message.

Don't be hooked. Click on the image to the left to see The Anatomy of an Email Scam (posted on the ZoneAlarm Blog) to learn how to recognize an email scam.

HTML Email Hides Details

One of the dangers of "enhanced" or HTML email is that stuff can be hidden and you have to know how to look for it.

Firefox online security features help you avoid problems with invalid or insecure sites.

Step Three: Collect the Information

The victim (you) clicks on the link and finds themselves on what they believe to be the correct site (remember, the perpetrator has created the site to look like the original), so they enter their user name or email address and password.

Of course, this information is not going where you think it is — you're sending it directly to thieves.

Step Four: Assume Your Identity

Taking your electronic identity (which you've just provided to them on the phishing site), the thieves go to the real site (such as your bank) and log into your account.

The information obtained in this manner is then used to either obtain funds from your account or to set up credit in your name.

Another Sort of Phishing Email

The example above is designed to lure you into providing account information and/or to visit a bogus website where you'll enter that information.

Scam with a Different Purpose

A message can also be designed to get you to send money via Western Union or some other method.

The following is the text of a message I received from a friend (with some identity information removed):

URGENT HELP NEEDED.......([my friend's first and last name])
 
I'm so sorry to bother you,but i really need your help at the moment,  I came down here to Manila Philippines for a short vacation,unfortunately i got mugged at the park of the hotel i'm staying ,everything i had on me was stolen including,cash,credit cards and cell phone....I need help to settle the bills and flying back home, I'll surely pay back as soon as I get back home.The amount needed now is just $2,500 .. I'll surely pay back as soon as i get back home. I'm so confused right now and also want to let you know I was beaten up while trying to protect myself and had some scratches on me but his doing well now,You can have the money wire  to my name and the address below via western union;
 
Receiver's Name: [my friend's first and last name]
Location: Manila, Philippines
 
Get back to me with the details, would definitely refund it back to you once i arrive Hopefully.
 
Am freaked out at the moment..... I need your Help

The sender hoped I'd reply with financial details so they could collect the funds themselves.

How I Knew It Was a Scam

The message appeared to come from this person's current email address, but there are several evident clues that this wasn't legitimate:

The real owner of the address did the smart thing and sent out a message to friends indicating that the original message was bogus and that they were OK. I'm sure the account password was also changed to something more secure.

Return to top

How to Tell Fake Links

Configuring Your Software | Where Does That Link Go? | How Can a Fake Site Exist?

Your Ignorance is Your Downfall

One of the weaknesses that allow phishing and other identity theft practices to succeed is that most of the victims are using technology they don't understand.

Configuring Your Software to Protect You

Whatever choices you make with your software, you'll want to take advantage of some advanced (and often hidden) features:

Advanced features are often hidden to provide for a cleaner, simpler look. Remember, software vendors don't have to pay to clean up problems that could have been prevented were these features enabled in a standard (default) installation.

If you need help determining how to configure your software and security protection, contact someone knowledgeable, but be careful when selecting your "expert" helper. Remember, you're putting your trust in this person. I provide these services in Greater Victoria.

Get Help From Your ISP

Use whatever tools your ISP makes available to identify potential spam, phishing and other problematic email messages. Check your ISP's help or support website or call their help line.

I strongly recommend Islandnet.com (even if you're using another ISP) because of their extensive PEP anti-spam tools and friendly, knowledgeable staff. Unlike some major ISPs, you're dealing with a real person that is knowledgable, not someone overseas with a script in front of them.

Hosted by Islandnet.com

Links Have Two Components

Hyperlinks on a website (and in an email) have at least two components:

  1. The hidden encoded address (the hyperlink where you are being sent); and
  2. The "linked" text (what you see highlighted in the link).

Only the hyperlink itself (the hidden part) determines where clicking on the link sends you. Just as placing a Mercedes license holder doesn't make your Ford into a Mercedes, a misleading link description doesn't change its destination.

Using the Status Bar

Remember I told you that the status bar was a valuable tool? If you hover over the link in a website or email message and look at the status bar at the bottom of the message, you'll see where the hyperlink is actually sending you.

Take a look at the following link and then see where it leads you (a new window opens):

If you hover over the link and look in the status bar you can tell without visiting the link's destination (strongly recommended when dealing with unknown sites and emails).

Just because the linked text says it is pointing towards "www.mybank.com" doesn't mean that is the real destination.

Learning More of the Mechanics

If you are interested in the mechanics of this process, have a look at Cut 'N Paste HTML Editing. It explains simple HTML and demonstrates how an HTML link works.

Shortened Addresses

It is common for phishing emails to use shortened URLs (web addresses) created by services like TinyURL, bitly and SnipURL hide the destination address, but you can check these links before visiting the site. Paste the address into your browser's address bar with the changes noted below, then hit enter:

You're taken to TinyURL, bitly or SnipURL (respectively) with information showing about the true (full) destination for the shortened link. In these examples, all shortened links point back to this page.

How Can a Fake Site Exist?

First of all, people that set these up and send out the phishing emails wish to remain anonymous. They are breaking the law and don't want you to be able to find them after they steal your identity.

Short-Term Links

The provided links are only up for a short time before they are removed by the financial institutions affected or by the legal authorities.

Forged links often point to a site in an educational institution where passwords and access are easy to come by. By their very nature, universities house a lot of smart and curious people. Smart as they are, too many don't view the issue of security as their problem. Because of a few people's lax attitudes, many will suffer significant financial setbacks.

Delete Attached Forms

More recent phishing attempts have provided an attachment to their messages which, when opened, replace the fake site with a form which accomplishes the same nefarious purpose — to get your information using deception. Don't be fooled.

Return to top

Abusing Transfer of Trust

The successful phishing scheme depends upon your trust for your financial institution (or other authority) being carried into the fraudulent email and the website link it contains. You trust the link because it appears to be someone you trust.

The Internet Can Be Exploited

Browsers and enhanced (HTML) email messages can be exploited for this purpose. Unless you understand the language (markup code) you are unlikely to detect this deceitful practice.

Preventing Successful Phishing

There are a number of things that you can use to avoid being the victim of this type of attack:

Report Identity Theft

If you have been a victim of identity theft (or suspect you have), contact the police and file an identity theft report.

Return to top

Use a Safer Browser

Your Choice Matters

Your choice of web browser can make a difference in your ability to protect yourself online. Whichever browser you choose, the most recent will usually have improved security features and/or have known security issues patched.

Internet Explorer is not recommended for most routine surfing and browsing sites on the Web. While Internet Explorer may be convenient, it is tightly integrated into Windows and any security issue in any Microsoft product puts your computer at risk.

Firefox Recommended

Firefox's warning page for a reported attack site

Firefox is a much safer browser to use. As an independent program it is less vulnerable to cross-program security issues while still able to perform the intended functions and call to outside features like email programs.

Have a look at some of the built-in security features of Firefox:

Firefox works to protect your privacy, provide more secure browsing, ensure that plugins are updated and more. Hundreds of addons and customizations allow you to create the browsing experience you want and need without compromising your safety or security.

Return to top

What is Identity Theft?

Reporting Identity Theft | Protect Your Identity | Other Resources

Identity theft, in a nutshell, is the obtaining of information about you that will enable someone else to impersonate "you" — allowing them to steal in your name.

Identity theft is, unfortunately, a rapidly growing crime.

It Used to Be Harder

Obtaining personal information is much easier than it used to be.

At one time you had to go to your bank, speak to a real person who would then compare your signature with a physical sample stored at the bank to ensure that you were who you said you were before releasing funds or a providing new credit card.

Today, Information is Too Easily Accessed

These days credit card applications appear unsolicited in your mailbox and are easily available online. Verification depends upon electronic data rather than hard copies (original documents in the teller's hand). Convenience of inter-branch banking and online transactions has led to poorer security.

Passwords — Your Electronic Signature

Many people using electronic verification technology don't really understand it and view it as something that is imposed upon them rather than something for their own protection.

In most cases your user name (sometimes spelled username) is either your email address (or in the case of your email account, the part before the @ symbol). That makes the user name either public or easy to guess, so all your security depends upon the password.

Unfortunately, many folks don't take their passwords seriously. They worry that they'll forget a password, so they make it simple and use the same one over and over again.

You'd never leave a series of signed blank cheques unsecured. Your passwords are just as important. More about effective passwords….

Lack of Knowledge is Your Undoing

Folks don't really understand the risks of using an obsolete email program like Outlook Express (targeted by spammers and phishers because it is still frequently used even though it doesn't contain sufficient protection for the user).

These programs are the electronic equivalent of a skeleton key and are both "easy to use" and ineffective in providing protection.

Just as seat belts, car alarms and ignition keys are inconvenient, Internet security is too. But they also share the provision of protection otherwise unavailable.

Treat Computer Security Like You Would Your Car's Security

You probably wouldn't leave your car unlocked while unattended on a late Friday night in a crime-ridden area of town with the keys in the ignition and the windows rolled down. And if you were foolish enough to do so, you shouldn't be surprised to find it gone when you returned.

Have the same respect for the protection of your computer, especially when in the bad area of town (the Internet) where anonymity provides opportunities to take advantage of your ignorance.

Return to top

Protect Your Identity

Everyone is Gathering Information

Everyone is collecting information about you. They want all the tools at their disposal to get you to buy their products and services. If they can get your email address, they can send their advertising right to your inbox. If they know your marital status and how many children you have they can identify potential markets.

See how to opt out of being placed in these lists and well as how to get off these lists if you didn't ask to be put on them in the first place.

Beware of Phone Callers

Do not converse or do business with companies phoning you.

If YOU contact your credit card company to request information, they will ask you for your credit card number and may ask other personal information to verify your identity. This is normal — they need to verify that they are speaking to someone authorized to obtain information about your credit or to make changes.

However, if you didn't initiate the call, the caller has no right to expect you to provide such information.

Don't Give Away Unnecessary Information

Personal Information

Do not release the following personal information, since it is your identity when you conduct business on-line:

Be careful about releasing billing addresses and employment information as well. While the successful completion of many credit card transactions requires that the shipping address match the credit card's billing address, this information is not necessary for other transactions.

"Innocent" Information Dangerous

Take Care When Posting on Social Media Sites

People sometimes post things on Facebook or other social media (as well as mention over the phone) without thinking about the consequences.

Watch that you don't reveal the sort of information that allows you to recover a lost password as this is usually something you should remember, but strangers wouldn't, (unless you post it on Facebook):

Being "In the Cloud" Has Risks

Cloud computing (“in the cloud”) is becoming more important as we go more mobile with our computing using smart phones, tablets and other portable devices to conduct business on the go.

While it may free you to access your information anywhere at any time, it also provides the same access to anyone on the Internet (and to the employees of the company providing the service). Hacking of these networks have become very common:

Return to top

Reporting Identity Theft

Begin Immediately

If you suspect you've been the victim of identity theft, the sooner you act, the sooner you can begin to resolve the issue.

You should file a report with the police and with credit reporting agencies:

Reporting identity theft or fraudulent transactions on your credit card(s) to the credit reporting agencies helps to prevent further abuse, particularly if someone tries to open credit in your name. You are entitled to one free credit report each year which discloses who has made requests for your credit report as well as allowing you to dispute errors.

Remember, it will likely be harder to prove identity theft than to execute it, hence the long warnings on this page.

Watch for Unauthorized Purchases

If you do receive bills for unauthorized credit cards or are billed for goods or services you did not receive (particularly from a foreign country) you may have to file a report with your financial institution(s) and to the police.

Return to top

Other Phishing & Identity Theft Resources

More About Phishing

More information about identity theft and how to prevent it is found on these sites:

More About Phishing

The following sites deal more with the issue of phishing.

Return to top

More About Related Issues

Protecting Your Online Identity

The following related pages offer more information about protecting your online identity:

Securing Your Computer

The following related pages offer more information about securing your computer:

Return to top

www.RussHarvey.bc.ca/resources/identitytheft.html
Updated: February 12, 2014