Security Awareness Tips: Phishing

Submitted

Posted on Thursday, October 12, 2017


What is “phishing”? Phishing is the act of sending an authentic-looking fake e-mail to a user, in which the sender claims to be a legitimate bank, financial institution, or recognized business. The sender’s aim is to trick the user into disclosing private information that will be used for identity theft. A phishing e-mail contains a link that directs the user to visit a Web site where the user is asked to update personal information, such as passwords and credit card, social security, and bank account numbers that the legitimate organization already has. The Web site appears identical to the legitimate one, but is a well-crafted fake and set up only to steal the user’s information. Variations will open the legitimate business or bank Web site, and then open a small parasitic “logon and password” pop-up window over top to steal credentials.

Some phishing e-mails even contain an inline form that a user is supposed to fill out and then submit to update their account. Hitting the “Submit” button will connect to an Internet form site where the criminal has set up an account and the information is then e-mailed to them.

How can I identify a phishing e-mail?
• Most legitimate business institutions will not send out requests for personal information of this nature via e-mail. Be suspicious of any requests that you do receive.
• Your e-mail address may not be in the “To:” field, may not be personalized, or may be included with other e-mail addresses.
• The e-mail may have a sense of urgency, insisting that you act immediately to prevent financial loss or account termination.
• The e-mail may contain grammar, spelling, or formatting errors.
• The link in the e-mail may be similar to but not exactly the same as the legitimate site (e.g., http://www.update-royalbank.ca instead of http://www.royalbank.ca).
• The link may direct you to an Internet Protocol (IP) address instead of a name (e.g., http://132.246.162.100/update.html).
• The link may look legitimate but have special Hyper Text Markup Language (HTML) code or Java script to hide where a user will actually be taken when the link is clicked.
• The whole e-mail may actually be an image with a link hidden behind that is different than the one in the picture.

What should I do if I don’t know whether an e-mail is legitimate? Contact the legitimate business by phone or via the contact e-mail address on their Web site, and ask if they sent it.

How can I protect myself from phishing?
• Question any e-mail that looks suspicious.
• Do not follow links in unexpected e-mails.
• If you’re unsure, enter the Uniform Resource Locator (URL) into the browser bar manually.
• Before entering any personal information on a Web site, ensure it’s a secure Web site with “https://” ahead of the URL (instead of “http://”), and the small lock icon is visible in the bottom status bar.
• Install an anti-virus software package and ensure it updates itself frequently.
• Ensure your computer’s operating system and software are patched against any security vulnerabilities.
• Install a pop-up blocker to stop parasitic windows from opening.
I just entered my banking information into what may be a phishing site. What should I do now?
• Thieves generally use your stolen credential within hours of receiving them, so contact your bank immediately. Your bank will tell you how to proceed.
• If you entered information that could be used to apply for credit in your name, call the credit bureau and ask it to place an advisory on your record.
• Scan your computer for key loggers, Trojans, and other malware.
Are there other ways to protect myself from identity theft?
• Regularly check your bank and credit card statements to ensure all purchases are legitimate.
• Regularly check the balances of all your online accounts.
• When using credit and debit cards, watch carefully to ensure they are not being “skimmed” - i.e., put through an illegal card reader to record the information on the magnetic strip.
• Never write down your PIN - memorize it. It’s your electronic signature.
• Never disclose your PIN to anyone. No one from a legitimate financial institution, police service, or business should ask for your PIN.
• Avoid using obvious numbers like your birth date, phone number, or address for a PIN.
• Never lend your debit or credit cards to anyone.
• Shred any credit and debit card slips that have account information on them before throwing them into the trash.
• Shred any credit/loan/car rental applications before throwing them in the trash or recycle bin. This includes the junk mail personalized applications that your bank sends you.