Several years ago, I received an alarming email from what appeared to be e-commerce giant, PayPal, regarding my account, which stated that ‘suspicious activity’ had been noticed, and that my account had been ‘compromised’. Addressing me correctly by my full name, the email told me that time was of the essence, and that I should follow the link provided at the end of the email, to login, and verify my information immediately.
With a large sum of money resting in my account, I blindly followed instinct (Read: panicked), and quickly clicked the link in the email. Next thing I knew, I was the on what looked exactly like the PayPal login page, complete with my correct email address neatly placed in the login box. All that was required was from me was to type in my password, and hit the ‘enter’ key to enter my account.
Which I almost did. But out of the blue, something didn’t feel quite so right. Suddenly, a word popped up in my head like a warning bell. Phishing!
I studied the login page, trying to figure out what it was about the webpage that felt so off. I glanced at the fonts, and noticed that they seemed ever so slightly different from what I was used to on the website. I then looked up at the address bar, and the realization hit me like a hammer: rather than say ‘paypal’ the URL was simply a dubious string of numbers instead.
Quickly, I closed the page, typed the correct URL myself, and logged in, to discover to my relief that the status of my account was perfectly normal. It then dawned on me that someone had gone through some trouble to try and get access to my password, and that I was extremely lucky not to have given it away.
Luckily, I had already been aware of the concept of ‘phishing’, which probably helped raise warning signs in my head, but millions haven’t been so lucky. In a Gartner, Inc. survey conducted in 2007, it was estimated that in the 12 months leading up to August 2007, 3.6 million U.S. adults were the victims of such attacks, and the US lost an estimated 3.2 billion in that period overall to such strikes. Meanwhile, in 2005, in the United Kingdom, it is estimated that phishing-related web bank fraud has resulted in losses of £23.2m.
In June 2011, Google disclosed that it had discovered and disrupted a spear phishing campaign — a phishing attempt which targets large organisations — to steal hundreds of Gmail passwords and monitor the accounts of prominent people, including senior government officials.
Similar tactics were also used in an attack on a company called RSA Security, which security experts say may have given hackers the tools to carry out a serious intrusion last month at Lockheed Martin — the world’s largest military contractor.
What exactly is ‘phishing’ you ask? Well, pronounced ‘fishing’, it is a method for online crooks to access sensitive information like credit card details, and login information for e-commerce and banking websites, by typically disguising emails and instant messages to lead unsuspecting users to counterfeit websites. Not only that, but some phishers have actually faked entire phone banking systems to gain access to user account and PIN numbers.
Companies are constantly taking steps to combat this decay at electronic commerce. For instance, modern day browsers are now coming equipped with anti-phishing safeguards yet in the end, the biggest weapon against such attacks is user awareness.
If you are wary of falling prey to such attacks, then remember that vigilance is the majority of the battle. Whether you are about to use an e-commerce website like PayPal, or conduct online banking on a website like Citibank, always enter the URL of the said website yourself, and never under any situation, use a link from a piece of electronic correspondence.
If you are ever suspicious of a website or an email, you can report any concerns to the legitimate companies through the proper channels, by arming yourself with information on how to address your concerns. For example, if you receive an email from PayPal, which you wish to ensure is real, you can simply forward said email to spoof@paypal.com for confirmation. In the end, keep in mind that the greatest defense against phishing is to simply not take the bait.
Published in The Express Tribune, December 10th, 2011.
COMMENTS
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ