Phishing has been around for quite some time now. I don't have a lead on the early history of phishing, but academically I'm sure I'll learn where it originated just to have an anecdote to talk about in class. Phishing is the use of social engineering paired with technology in its simplest form.
The Con:
It's 7:30am and you log on to your email for the first time in the morning. Your head is fuzzy from all the partying you did the night before and the screen comes to you in a blur. You see a new e-mail from your bank marked urgent and all caps IMPORTANT NOTICE ABOUT YOUR ACCOUNT! This very authentic email notifies you that your bank has closed your account due to a security incident. You are shocked and immediately click the link on the web site or call the number. You are so distraught about your account (I have to go grocery shopping, I need the co-pay for my medical today, I have bills to pay!) that you don't notice that the redirected web page takes you to an unrelated site, or the shady foreign accent you hear over the phone (most call centers are outsourced anyway right?). In order to "authenticate" you, they ask for your SSN, Address, Mother's Maiden name, credit card number, pin, ID number from the back of your card.
"Thank you sir, your account has been reactivated." is all you hear, or when you click submit to the page, perhaps you get a 404 not found error. You've just had your identity stolen.
How it works:
This type of social engineering attempt plays on your fears of change and hectic lifestyle. There is nothing more inconvenient than all your finances screeching to a halt, and not having access to your money. This is exactly the atmosphere the fraudster wants to create. You bypass some level of logic when you are in panic mode, and don't stop to verify the telephone number or web site address before entering your information in order to get your money back.
How to fight this con:
When you see an E-mail message that disturbs you to this extent, sit back from your computer and first take a deep breath. The important part of determining if an email is legitimate is taking a few steps before acting on instinct.
Step 1: Is it even a bank account you have? Phishers send out a massive email to a list of people that they've culled online. Many of these e-mails tend to target public entities because email addresses are posted on the public web site. If your address exists somewhere on the WWW, it's safe to say it will be farmed and you will be targeted by emails like these until the end of time. If it's not even a bank you have an account under, that's the first clue that the email is a scam.
Step 2: If it is your bank, ask yourself why an e-mail was their first communication to you. Something as serious as an account closure will usually warrant a phone call, a letter via postal service, and possibly not even a notification until you use your card, find it expired, and you are forced to contact the bank on your own. You should never call or click links provided in emails that ask for personal information. Instead use the 1-800 number on the back of the card, or use the contact information provided by the bank when you open your account.
Step 3: Don't give out all your information unless you are positive you are talking to the correct people. All companies will have to verify that you are who you say you are, but usually they won't ask you for super sensitive information. Perhaps last four of your social, or secret questions you set up when you created your account. One good verification question, is how much you paid on your last monthly statement. A legitimate place should never ask you for your full information.
The big thing in this situation is not to act on impulse. Step back from the situation and ask yourself how you can shape it to what feels comfortable to you.
No comments:
Post a Comment