PHISHING

We are already in the age of information. DATA, DATA and more DATA. Those who have troves of DATA manipulate it to their own end without batting an eye as to the effects this may cause to others. Why do we trust online acquaintances with all our information and yet we are wary of giving even our names to people we just met at a social event? This 'blind trust' is what drives the phishing fraud. AND also makes us criminals by association, since we "follow" anybody who wants to connect with us either on Twitter, Facebook, Google+, LinkedIn and the plethora social media we have around us. Can you imagine if the Security Authorities knocked at your door today and asked you to accompany them to the Police Station to shed more light about your association with the, say, 5 of your 30,000 followers on Twitter? Many people still think that the internet is a remote commodity. No, sir/madam, it is real, and can put you in trouble.

What is PHISHING and how can we identify or detect it before we are phished?

In simple terms, it is theft of personal information like credit card details, and bank data. Officially it is defined as:

1. A method of identity theft carried out through the creation of a website that seems to represent a legitimate company. The visitors to the site, thinking they are buying something from a real business, submit their personal information to the site. The criminals then use the personal information for their own purposes, or sell the information to other criminal parties.

2. Identity theft is the crime of obtaining the personal or financial information of another person for the sole purpose of assuming that person's name or identity to make transactions or purchases. Identity theft is committed many different ways. Some identity thieves sift through trash bins looking for bank account and credit card statements; other more high-tech methods involve accessing corporate databases to steal lists of customer information Once they have the information they are looking for, identity thieves can ruin a person's credit rating and the standing of other personal information.

How does it work?

A classic example of phishing is an identity thief setting up a website that looks like it belongs to a major bank. Then, that thief sends out many emails that claim to be from the major bank and request the email recipients to input their personal banking information (such as their PIN) into the website so the bank may update their records. Once the scammer gets a hold of the needed personal information, they attempt to access the victim's bank account.

Types of identity theft include criminal, medical, financial and child identity theft. In criminal identity theft, a criminal misrepresents himself as another person during arrest to try to avoid a summons, prevent the discovery of a warrant issued in his real name or avoid an arrest or conviction record. In medical identity theft, someone identifies himself as another person to obtain free medical care. In financial identity theft, someone uses another person's identity or information to obtain credit, goods, services or benefits. This is the most common form of identity theft.

Many people think that because they don't have money, it doesn't matter if their identities are 'stolen' since the thieves will steal nothing from them. BUT, think about it; if someone has access to your identity, they can use it to apply for loans online, use it to abuse others, extort money and do any and all manner of mischief which will put you on the line for arrest, or worse, murder, if they mess with the wrong people. In short, we all need to be wary of phishing emails.

So, how can we detect them and stop them on their tracks before they cause us untold damage?

Don’t trust the display name

A favorite phishing tactic among cybercriminals is to spoof the display name of an email. Return Path analyzed more than 760,000 email threats targeting 40 of the world’s largest brands and found that nearly half of all email threats spoofed the brand in the display name. 

Here’s how it works: If a fraudster wanted to spoof the hypothetical brand “My Bank,” the email may look something like:

Since My Bank doesn’t own the domain “secure.com,” DMARC will not block this email on My Bank’s behalf, even if My Bank has set their DMARC policy for mybank.com to reject messages that fail to authenticate. This fraudulent email, once delivered, appears legitimate because most user inboxes only present the display name. Don’t trust the display name. Check the email address in the header from—if looks suspicious, don’t open the email.

Look but don’t click

Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don’t click on it. If you want to test the link, open a new window and type in website address directly rather than clicking on the link from unsolicited emails.

Check for spelling mistakes

Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.

Analyze the salutation

Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.

Don’t give up personal information

Legitimate banks and most other companies will never ask for personal credentials via email. Don’t give them up.

Beware of urgent or threatening language in the subject line

Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”

Review the signature

Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details.

Don’t click on attachments

Including malicious attachments that contain viruses and malware is a common phishing tactic. Malware can damage files on your computer, steal your passwords or spy on you without your knowledge. Don’t open any email attachments you weren’t expecting.

Don’t trust the header from email address

Fraudsters not only spoof brands in the display name, but also spoof brands in the header from email address. Return Path found that nearly 30% of more than 760,000 email threats spoofed brands somewhere in the header from email address with more than two thirds spoofing the brand in the email domain alone.

Don’t believe everything you see

Phishers are extremely good at what they do. Just because an email has convincing brand logos, language, and a seemingly valid email address, does not mean that it’s legitimate. Be skeptical when it comes to your email messages—if it looks even remotely suspicious, don’t open it.

Phishing attacks are more rampant than ever before, rising by more than 162 percent from 2010 to 2014. They cost organizations around the globe $4.5 billion every year and over half of internet users get at least one phishing email per day.

The best defense companies have against phishing attacks is to block malicious emails before they reach customers with the DMARC (Domain-based Message Authentication Reporting and Conformance) standard. Brands must also work with a vendor that can offer email threat intelligence data revealing attacks beyond DMARC (e.g., attacks that spoof their brand using domains outside of the company’s control).

Unfortunately, no matter what companies do, some phishing emails will always make it to the inbox. And those messages are extremely effective—97% of people around the globe cannot identify a sophisticated phishing email. That’s where customer education comes in.

Ref: Harvard University Computing Services,

www.returnpath.com