MoMusings

This is the first in a series of short introductory articles which will focus on specific threats:

Phishing has, over a short period of time, become a major source of identity theft. To help combat this and to aid understanding this short article will explain what (in general) Phishing is, and how it works:

Gone Phishing

If you are a customer of HSBC and received an e-mail which says it comes from:

HSBC Bank plc users-billing04@hsbc.co.uk

Which has the subject of: !Attention all HSBC Bank plc users

And the e-mail body looks like this:

What would you do?

Would you follow the instructions or would you send it to the bit-bucket (bin it)?

Those of you that decided to follow the instructions and click on the link would instead of going to the official HSBC site to verify your details would, in this case, be redirected to a phishers* web server hosted in Austin Texas. Any data you entered there would be used by the phishers to empty your bank account, scary huh?

During 2004 the phenomenon of phishing has exploded. For example, the rate of phishing grew by 4,000% between November 2003 and the end of April 2004 alone.

If you think that people don’t fall for this scam then you are rather deluded, it is known that the average Phish trawl nets 5% of those that were offered the bait…hook, line and sinker!
What is Phishing?

Phish is an old term to describe accounts that have been hacked. Phishing is the term used to describe attempts to steal financial credentials from customers of financial corporations and online services.

In its simplest form phishing is social engineering and involves sending an e-mail to the intended victim that looks as if it has come from their bank or other financial institution or online service, such as PayPal, eBay or an ISP. The e-mail will then encourage the intended victim to disclose their confidential information such as login credentials, pass phrase or other account details. This data is then used by the perpetrators to make fraudulent withdrawals or by making purchases using the stolen data by impersonating the victim (identity theft).

All the major UK (as well as many international and other foreign) banks and Building Societies have been targeted in 2004 and use of this technique shows no current sign of slowing. To combat this type of fraud a working group** has been set up to share information, to identify the size and cost of the problem, and finally to find and implement an industry-wide solution (or solutions) to the problem.

So, remember, if it smells or looks phishy, don’t swallow the bait or you’ll be the one landed and your account will be phished-out. If in doubt contact your bank or building society.

More details, statistics and advice can be found here: http://www.antiphishing.org

[*] Those that run phishing scams such as the one shown in this article.
[**]APWG (Anti-Phishing Working Group)