Hey web devs! We knew you'd look under the hood. Please pardon the mess...we still have some clean up to do. If it drives you crazy and you want to help us get it perfect, maybe you should join our team! We could use another set of hands!
Reprinted from Triangle Technical Journal
You're checking your email and amongst the various offers to help you get rich in a month, lose 30 pounds in a week, and enlarge your assets — there's one from your bank, Citibank to be exact. And it reads something like this:
…This email was sent by the Citibank server to verify your email address. You must complete this process by clicking on the link below and entering in the small window your Citibank ATM/Debit card number and PIN that you use at the ATM…
So you click on the Web link and are taken to what appears to be the Citibank Web site — and being Web savvy, you even verify that the Web address in the address bar of your browser is Citibank's. Secure in its authenticity, you enter your ATM card number and PIN. And you have just been scammed — Phish On!
That's right — you have just “given” your personal authentication information to a professional cyber criminal who is now happily skipping down identity theft lane. And you aren't alone — the Federal Trade Commission reported that 9.9 million US residents have been victims of identity theft during 2003, costing businesses and financial institutions $48 billion and consumers $5 billion in out-of-pocket expenses.
Phishing, also referred to as brand spoofing or carding, is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. The scam uses email messages that appear to come from legitimate businesses that one might have dealings with — banks such as Citibank and Wells Fargo; online organizations such as eBay and PayPal; Internet service providers such as AOL, MSN, Yahoo, and Earthlink; and insurance agencies. The messages look authentic and include corporate logos and formats similar to the ones used for legitimate messages. And as we've seen, they ask for verification of certain information, such as account numbers and passwords. And because these emails look so official, up to 20% of the recipients may respond to them.
Phishing attacks worldwide soared 60 percent in February 2004, with 282 different attacks worldwide in February compared with 176 in January, according to the Anti-Phishing Working Group.
So who are some of the lures? Financial services is the most targeted industry with most major banks in the US, the UK, and Australia having already been misrepresented to customers during phishing attacks. Most recently, Wells Fargo was the victim of two phishing attacks — where customers were sent emails alerting them that they have important email in the bank's online system and in order to access it, they must click on a link and enter personal information about their accounts. With 104 separate phishing attacks, eBay was the most common single target of phishing in February, followed by Citibank and PayPal.
To avoid getting hooked by a phisher, the FTC, the nation's consumer protection agency, offers this guidance:
In the end, you should be suspicious of any email that asks you to verify confidential information. The idea is for each of us to be cynical and ask: “Why would my bank/retailer/ISP/insurance company/etc. be sending me this email?” The truth of the matter is that no reputable company will blindly ask for account information through email or phone. Our most potent weapon against phishing scams is to be educated customers.