Phishing is an attempt to trick people to give up their usernames, passwords, credit card numbers and other useful information, through a false website.
NetCom, DNB and Nordea have all experienced phishing-attempts. Phishing is often carried out by sending an e-mail to the potential victims, instructing them to follow a link to the fake website.
To reply or not reply, that’s the question
The website that users are directed to would look and feel almost like the legitimate website, for instance representing the above mentioned companies. They will then be instructed to fill out some sort of form – with information spanning from usernames and passwords, to bank information. Of course, this information will then be used in different ways by perpetrators. So how to avoid this from happening? Well, there are several technical approaches to this – such as secure connections represented by https, padlocks or coloured codes in the address bar, indications of which site for instance by manually typing the address you know to be true instead of following hyperlinks – and indications of which authority says it is this site in the form of certificates. The problem with this is that for any technical solution presented, there is several ways to manipulate your way around it.
Anyone who administrates your accounts already have access to the information they need. Any respectful organisation would therefore never ask for this kind of information.Prof. Iain Sutherland
What to do
So what to do? I would say that the answer is to educate the users. There are a number of things one can investigate in order to recognize and prevent phishing attacks:
-
You can look at the sender and evaluate the probability of this being a legitimate sender.
- The challenge with this is of course spoofed senders. -
You can look at the hyperlink or URL provided with the e-mail, to see if it looks legitimate.
- The challenge being that one can alter the looks of the hyperlink to camouflage it. -
You can check the e-mail for personal information like your username or partial account number.
- The challenge being that attackers can personalize information in their e-mails. -
Check the e-mail for spelling or wording errors.
- The challenge is that the attackers may be well educated.
However, experiments and research suggest that most people are not that good at paying attention to details. So when the best security measurement boils down to whether one should reply or not – keep the following in mind:
Anyone who administrates your accounts – whether this is a bank account, a customer account, an e-mail account or maybe your network user account – already have access to the information they need. Any respectful organisation would therefore never ask for this kind of information via e-mails, thus you should NEVER give up such information in this way.