Friday, September 2, 2011

Beware of Phishing while doing online transactions

There has been increasing incidences of phishing recently which targets the customers of leading banks throughout the world .

The modus operandi of the attacks, how they are perpetrated to get the personal credentials from unsuspecting customers and also how to avoid becoming victims to such attacks are given below .

Phishing Fraud

What is Phishing?

Phishing pronounced "fishing" is an act undertaken by fraudsters to gain your private and sensitive information through emails that appear to be sent by your Bank. Such fake emails encourage you to click on a link in the email which leads you to a fake website with a similar look and feel as that of the Bank's authentic website. It is designed so, to capture your personal confidential account information such as Customer ID, IPIN, Credit/Debit Card number, Card expiry date, CVV number, etc.

Customers’ email addresses are obtained/purchased by the fraudster through non-trusted sites where the customer would have revealed his email ID by means of casual browsing or shared it on chat rooms, blogs or mailing lists, etc.

How do the fraudsters operate?
  1. Fraudsters send spoofed emails, appearing to be sent by the customer's Bank, to large number of recipients with an urgent tone that calls for quick action to verify, update or reveal your confidential account information by clicking onto a link in the email .
  2. Once the recipient clicks on the link in the email, he is diverted to a fake website with a similar look and feel of the Bank's original website.
  3. The customer is presented a web form to divulge his confidential account information i.e. customer ID, IPIN, Credit / Debit Card numbers, Card expiry date and CVV number, etc.
  4. Once the unaware customer reveals his confidential account information on the fake website he may be directed to the authentic website of the Bank to suppress any suspicion arising in the customer's mind. This is how the customer’s identity is compromised .
  5. This customer confidential account information or identity credentials are then used by the fraudster to gain access to the customer's account to commit fraudulent transactions

How do you identify a fake / phishing email?
  1. The fraudster may use the customer's Bank's email address, domain name, logo, etc to give an authentic look to the fake email
  2. Do not rely on the name and source in the "From " field of the email address as it may be easily manipulated by the fraudster to a valid email account of Customer's Bank.
  3. Such fake emails will always address you by a generic salutation or address you by "Dear Customer" or "Dear Net Banking Customer" or "Dear xxx Bank Customer". "
  4. Very often, such fake emails are poorly drafted and may have spelling or grammatical mistakes.
  5. Such fake emails will always encourage you to click on to a link to verify or update your confidential account information.
  6. The links embedded in such fake emails may sometimes look authentic but when you move the cursor/pointer over the link, there may be an underlying link/url to a fake website.

Security Guidelines for safe online banking

    1. Keep your passwords confidential
    2. Avoid using simple passwords and use strong passwords
    3. Change the passwords periodically and whenever you feel that your password has been compromised or made known to anybody accidentally
    4. Destroy the password/pin mailer after changing the password/pin
    5. Use the virtual keyboard displayed on the login screen to enter passwords
    6. Avoid accessing online banking websites from cybercafés/shared networks
    7. Upgrade the Operating System (OS) of the computer system promptly as newer/upgraded versions would help make your system more secure.
    8. Use newer/upgraded versions of browsers as they are regularly updated to block and alert you from accessing the phishing sites
    9. Install Antivirus software on your computer systems and update them continuously as this will reduce the risk of virus attacks
    10. Installation of personal firewall would provide added level of security
    11. Any potential risk caused through pop up windows may be eliminated by removing spy ware or ad ware installed on your system by using spyware/adware removing tools.
    12. Avoid downloading from unknown/unfamiliar sources. They may contain Trojans/malicious programs or worms/viruses that may compromise your system security.
    13. Disconnect your internet connection when not in use. This would avoid unnecessary access to the information on your systems and help protect yourself even if you have a personal firewall installed in your system.
    14. Logout completely after using the online application, i.e., by clicking the logout button and closing the browser windows.

No comments:

Post a Comment