Only an Ungullible You Can Prevent Phishing

As I mentioned in a previous entry, I'm a computer security specialist by day, so I've spent a fair amount of time noodling on ways to help protect people from hackers. In particular, one problem that has become an escalating game of cat-and-mouse between hackers and banks is phishing. Phishing is when an email (or website, or voicemail system) claims to be a trusted source, such as your bank, and asks you to provide sensitive information - only it's not your bank - it's the bad guys - and you just gave them your online banking password. Doh!

Phishing results in thousands of stolen identities daily, and it erodes the trust that customers have in online banking. So banks are constantly adding new security technology to make these attacks more difficult, but phishers are constantly coming up

"Banks will never 100% solve the phishing problem... because it's not a technology problem."

with more clever ways to get around these controls. Will it ever end? Should you wait for your bank to solve this problem before you venture into online banking? I can tell you with absolute certainty that, no, banks will never 100% solve the phishing problem. Never ever! Why? Because it's not a technology problem, so there is no technology solution. Phishing is not a new problem - it's a new spin on an old problem - con games. And "con" is short for confidence, which means that phishers only need to trick people into being confident that they are communicating with their bank, when in fact they aren't. And there are an infinite number of creative, non-technical ways of playing such tricks.

So how can you protect yourself? Should you just give up and avoid the internet? Well to borrow a phrase from the 1970's Smokey the Bear, "Only an Ungullible You can prevent phishing." But how do we learn to be ungullible to phishing? If the phishers are so clever at coming up with new tricks, is there any hope that we can outsmart them? I believe it is possible with just three simple rules, but before I explain, let's start with a simple example of how phishing works.

Please complete the following sample exercise before continuing to Part II of this blog. In a real phishing attack, the phisher might pretend to be your bank and ask you to confirm your identity by providing your full credit card number. In this example, we are only asking for part of a real card number to make the example safe.

Phishing Exercise #1 Name of Issuing Bank: Last 4 digits: --- Card Type: -Visa -MasterCard -Discover -American Express Note: It is safe to use a real credit card in this example because... You are only giving part of your credit card #, not all of it There is no Submit button, so you aren't sending your data anywhere You may provide fake data if you still prefer, although some lessons from the example may not be as clear

After filling in the above example Phishing form, Click Here to continue with the rest of this blog...

Part II - April Fools!
Did you provide real credit card data in the above example? If so, then you just fell for a phishing attack (well, not literally, but it easily could have been real). I could have easily stolen your credit card number, and there is no technology that could have prevented it. Assuming you entered real credit card data in my form, you did so because I gained your confidence by telling you it was safe, and by providing false reasons for that safety:

• I told you the form was safe because you were only providing part of your card number. But this is false because you also gave me the name of the bank that issued your card and the card type, which can be used to determine the beginning numbers of a credit card.
  
  
• I told you the form was safe because there is no Submit button to actually send me the data on the form. But this is also false because a Submit button is not necessary to cause the form to send me your data. I could have just as easily used hidden JavaScript to cause your browser to send the form as soon as you clicked on the link to display the rest of this blog.
  

I assure you that the above form does not send me any data, but if I've made you a little nervous about the truthfulness of that, then good - that was the point - because from now on you will be much more cautious about what data you provide on the web. You will have already become more ungullible to phishing. As for further convincing you that I didn't collect any data from the above form, note that I didn't collect an expiration date or other data usually required to use a credit card. Beyond that, all I can suggest is to have a family member or friend who is knowledgeable in HTML (the language of web pages) review the source code of this blog and it will prove that no data was submitted.

So now you are little more cautious about using the web, or perhaps you already were. Good! But hopefully you aren't so scared that you refuse to do any online banking, or perhaps even refuse to use the internet at all. That wouldn't be very productive.

So how do we find that healthy balance between too gullible and too afraid to use the internet at all? I can give you three simple and easy to remember safeguards that will make you virtually impossible to phish. And you don't even have to remember all three! Each one, on its own, will significantly reduce the chances of you falling victim to phishing attacks. They are listed in order of importance, so if you can only remember one, remember the first one!

Three Simple Rules to Become Ungullible to Phishing Attacks

1. Don't Ever Click the Links
   Don't ever click on links or dial phone numbers that claim to be your bank and which arrived by email or by phone calls! Instead, manually type the address in your browser, or even better, use a bookmark that you saved in your browser. Phishers frequently send spam emails that pretend to be from your bank, and they include a link for you to click to log on to your online banking account, only it's really a link that takes you to the attacker's fake website. Although new technologies are being developed to help you identify these fake links, the phishers are very clever at making the links look real, so don't trust your eyes. Although less common, these emails may also include phone numbers for you to call, only it's a number to a fake call center. If you receive one of these emails and you know it is fake, just delete it. But if you aren't sure if it's real or fake, do not click on the link or call the number provided. Instead, manually type the address of your bank into your browser, or call your bank at the number listed on the back of your ATM card, as listed on their website (that you manually typed), or as listed in the phone book. If the important message you received by email or phone was real, then your bank will have a similar message waiting for you once you login or call them.
   
   
2. Don't Trust Their Identity If They Contacted You First!
   If you get a phone call or email from your bank asking for information about your account, how do you know it's really your bank, and not an impostor? What if they first provide you with some private data about your account? Does that prove it's your bank? Or is it maybe an attacker that has some of your personal data and is phishing for more? The only way to be sure is to hang up, and then call them back at a number you know belongs to your bank - NOT at a number the caller gave you.
   
   
3. Be Extra Skeptical of Unusual Requests For Sensitive Information!
   The example phishing form I used above was probably not a request that you had seen before, so it was an unusual request that you should have been weary of. Most phishing attacks also contain unusual requests. The email may claim that your bank is making changes to your account, and they need you to login and verify things. It may claim that if you don't login soon, your account will be deactivated. Or it might state that they think someone has fraudulently used your account and they need you to immediately login to verify that your account looks OK. Regardless of what the request claims, these requests are probably not something you have ever received before from your bank, which should make you doubly skeptical of them. Additionally, they frequently have a sense of urgency about them, which should make you even more skeptical of them. If your bank really needs to contact you urgently, they will do it by phone so that they can confirm your receipt of the message in a timely manner, not by email which may go unread for weeks.
   

And remember that these three rules apply not just to your online bank. Phishers most frequently target banks, but they may also try to gain access to your ebay account, myspace account, email account, or any other account. But as long as you remember and follow those 3 simple rules, you will be protected from virtually all forms of phishing attacks.

Congratulations!!! You are now an Ungullible internet user! If you are interested in reading more about how to protect yourself against phishing and many other types of internet fraud, Ungullible recommends the following books...