Recognizing Threats to Personal Data Online
A guide to identifying and avoiding "phishing," "spear phishing," pharming" and "vishing" scams.
Recent studies have shown that, despite the fact there have probably been "con artists" since people lived in caves, individuals are still falling victim to scams, especially in the new world of electronic commerce.
In the pre-computer era, people would fall victim to telemarketing scams -- sending cheques or providing credit card numbers in response to fraudulent sales campaigns. This type of fraud has now migrated to the Internet.
This fact sheet explains various "social engineering" attacks – "phishing," "spear phishing," "pharming" and "vishing" -- and offers suggestions to avoid becoming a victim.
Background: What is Social Engineering?
Social engineering is the art or practice of manipulating people in order to obtain confidential or sensitive data.
For the most part, people inherently want to be helpful or to trust those who have some form of authority, either due to their position within an organization (e.g., the CEO) or due to their expertise (e.g., staff from the IT department). Many people are curious or inquisitive and still others are greedy, hoping to "get something for nothing". Social engineers are students of human nature and understand how to exploit these tendencies.
Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he isn't, thus manipulating them into divulging personal information. Today’s social engineer uses technology to take advantage of people.
Some common social engineering schemes include:
- A person contacts you claiming to be a system administrator. He claims there are problems with your account and needs your password to fix it;
- A person contacts you claiming to be from a credit card company. He needs to verify your account and asks for your credit card number and expiration date;
- A person contacts you claiming to be a new staff member. He has forgotten his password and asks you to give him yours because he needs to get into the system very quickly or he'll be in trouble with the boss; and
- Someone from someplace far away wants to give you millions of dollars but needs your help, in the form of money for bribes, expenses, etc. in moving the money from there to here.
The basic goals of social engineering are the same as those of malicious hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network.
Variations on a Theme
(I) – Phishing
A "phishing" e-mail is one that pretends to be from a bank or a company such as eBay or Amazon.com. The e-mail asks you to login to your account and verify your account details, often claiming that suspicious activity has been observed on your account or that security upgrades have recently been implemented. A web link for this purpose is usually included in the e-mail. Clicking on the link takes you to a counterfeit web site that looks very similar to the legitimate one.
Unsuspecting victims are tricked into thinking they are logging in to the real web site. By hijacking well-known corporate brands, which individuals are inclined to trust, phishers obtain credit card numbers, account usernames, passwords and Social Insurance Numbers.
This gives the fraudsters enough information to gain access to your accounts or commit other crimes using your identity.
(II) – Spear Phishing
Social networking sites such as MySpace and Facebook have become a popular way to form online relationships. Users of these sites create accounts and are then able to customize a personal web page containing personal information such as pictures, videos, lists, descriptions and blogs.
One of the features of a social networking website is the ability to ‘link’ your page to your friends’ pages by creating a list of "friends." Friends can then use message boards (a type of e-mail feature included on the sites) to send and receive messages and "new friend requests." Because these social networking sites are centered on friend lists, there is an inherent trust factor built into them.
"Spear phishers" target users of a specific site or service (i.e. an online community), a social networking site such as MySpace, or users of a particular online message board, by masquerading as a member of that community.
They will often use the personal data contained on the individuals’ pages in order to customize their attacks, increasing the probability of gaining the trust of the target. Attacks can take the form of a message left in an inbox containing questions or links to other sites; or malicious code embedded in a web link that prompts users for information.
(III) – Pharming
Computers on the Internet identify each other by using their Internet Protocol addresses (e.g., 192.168.2.214), the rough equivalent of a telephone number or street address. It is difficult for people to remember these numbers so, just as telephone directories map names of people or businesses to phone numbers, the Domain Name System (DNS) maps computer addresses to a form that is easier to remember (e.g., Chapters.ca).
Now suppose a criminal wants to steal someone's account information. He sets up a counterfeit web site that looks just like that of a bank or other sensitive web site, duplicating the layout, colours, logos, seals, and so on. The criminal now needs to convince people to visit the web site and divulge sensitive information such as account numbers, passwords, etc.
How can he do this? The most common tactic is to use a phishing e-mail, but now that this is a relatively well-understood tactic, people are becoming much more cautious about clicking on the links in these e-mails.
"Pharming," on the other hand, is a less well-known form of attack. Pharming involves directly manipulating the DNS, changing the IP address of the target web site from its real IP address to the IP address of the fake website. In this way, the victim can enter the web address properly (i.e., by typing http://www.mybank.com into the web browser) and still be directed to the fake web site.
Note that this type of attack is possible even if the victim finds that he is directed to a secure site (that is, one with SSL protection) since the attacker can spoof web sites and produce fake SSL certificates. Because the fake certificates will appear legitimate, it is very difficult to detect whether the site is legitimate or not. Double-clicking on the lock icon will display the SSL certificate, showing who the certificate was issued to, who it was issued by and how long it is valid. To distinguish an impostor from the genuine article, you should carefully scan the security certificate for a reference to either "a self-issued certificate" or "an unknown certificate authority."
Other recommended protections against pharming attacks include installing either a good anti-phishing toolbar, or a web browser with anti-phishing features built into it (Internet Explorer 7, Firefox 2), or both. These tools will most often warn that the site certificate does not match the company name. They also use databases of known phishing scams to detect web sites that are illegitimate and issue warnings.
(IV) – Vishing
A lot of effort has been expended to educate users about Internet scams, so users are cautious about clicking on links from unknown senders. Fraudsters have responded by asking people to call a specified telephone number rather than click on a link. Victims call the number in the mistaken belief it belongs to their bank or credit card company. Instead, they are connected to a Voice over Internet Protocol (VoIP) phone that can recognize, and record, telephone keystrokes.
This relatively new tactic is called "voice phishing", or "vishing".
Vishing scams usually begin when the criminal obtains a standard VoIP number and then either configures an automated dialing system to call people with a pre-recorded message, or sends out standard phishing-style emails. In both cases, the message alerts unsuspecting target individuals that their credit cards have been compromised and that they should call a phone number immediately to correct the problem. The phone number is often a toll-free number with the spoofed caller ID of a legitimate financial company.
In the phone version of a vishing attack, a computer-generated voice instructs callers to enter their credit card number, expiration dates and verification codes.
The e-mail version of vishing relies on the idea that asking people to call a toll-free number will avoid the suspicion associated with clicking links in e-mails—a widely publicized source of transmitting viruses and other malware. Once the personal information is entered, the "visher" has the information necessary to place fraudulent charges on the consumer’s card.
Privacy Recommendations: What You Can Do To Protect Yourself
- Protect your computer by using a firewall, anti-virus software and other security measures. An increasingly common practice is the use of malicious code (viruses, worms and Trojan horses) to acquire the personal information needed to commit identity theft. Consider the use of an anti-phishing toolbar or anti-phishing enabled web browser such as Internet Explorer 7 or Firefox 2.
- Ensure your browser is up to date and that security patches have been applied. For example, Microsoft Internet Explorer browser users should immediately go to the Microsoft Security home page - http://www.microsoft.com/security/ - to download a special patch relating to certain phishing schemes.
- Be suspicious of e-mails from financial institutions, Internet service providers and other organizations asking you to provide personal information online. Reputable firms never ask for personal information in this manner. If you are at all uncertain, look up their phone number in the phone directory, or use the number printed on the back of the credit card or account statement, and call. Clues to fraudulent e-mails include a lack of personal greetings and spelling or grammatical errors.
- Never click on links in the e-mail or cut and paste them into your browser - chances are the link will take you to a fake web site. It is generally safer to log onto the web site directly by typing the web address in your browser.
- Always ensure you are using an authentic, secure web site when submitting credit card or other sensitive information. Start by typing the web address into the browser address bar manually. Once you are at the site, make sure you're on a secure web server by checking the beginning of the web address in your browser’s address bar - it should be "https://" rather than just "http://". There should also be a small yellow padlock symbol in the lower-right hand portion of your screen.
- Never call a telephone number provided in a phone call or an e-mail regarding possible security issues with a credit card or bank account. Only the phone number on the back of a credit card or bank statement is a valid number to discuss credit card account information.
- If any suspicious or unfamiliar "buttons" or other "clickable" items appear on a web site that you frequent, such as a MySpace page, do not click on them until you have verified their authenticity. (You can refer to the phishing sites listed in the next section to accomplish this). If you accidentally click one of these items do NOT provide any information that you may subsequently be prompted for. Spear phishers may have embedded malicious code directly in personal web pages.
- If, for any reason, you believe or suspect your personal information may have been compromised, contact the relevant institutions (i.e., your bank, credit card issuer, credit reporting bureaus, or utility provider) as soon as possible. If you believe a crime has been committed or attempted, you should also contact local law enforcement. You can also report any suspicious activity to one of the online organizations, listed in the next section, after contacting these authorities.
There are a number of organizations that provide education, awareness materials, and reporting facilities, as well as online archives of phishing and e-mail spoofing. These include:
- PhoneBusters (http://www.phonebusters.com; toll-free number 1-888-495-8501) is a national anti-fraud call centre jointly operated by the Ontario Provincial Police and the Royal Canadian Mounted Police. PhoneBusters is the central agency in Canada that collects information on telemarketing fraud, advanced fee fraud letters (letters from foreign countries, where the sender solicits help in moving money) and identity theft complaints.
- The Canadian Anti-Fraud Centre (CAFC) is the central agency in Canada that collects information and criminal intelligence on such matters as mass marketing fraud (e.g., telemarketing), advance fee fraud (e.g., West African letters), Internet fraud and identification theft complaints. If you suspect that you may be a target of fraud, or if you need more information, you can report an incident to the CAFC.
- The Anti-Phishing Working Group (APWG; http://www.antiphishing.org) is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and e-mail spoofing. The organization provides a forum to discuss phishing issues, trials and evaluations of potential technology solutions, and access to a centralized repository of phishing attacks. See their web site (above link) for statistics and examples of phishing e-mails.
- millersmiles.co.uk (http://www.millersmiles.co.uk), established in 2003, is an international source of information about spoof emails and phishing scams, with a vast library of real examples, including details and images of the e-mails themselves and related bogus web content. Note that millersmiles.co.uk is partnered with the Anti-Phishing Working Group.
- The SANS (System Administration, Audit, Network, Security; http://www.sans.org) Institute is a cooperative research and education organization. They also provide a number of free resources, including the SANS Ouch! newsletter, which shows how to avoid phishing and other scams plus viruses and other malware -- using the latest attacks as examples.
Note: A reference to a particular tool or vendor in no way implies this Office endorses that particular tool or vendor. These are provided for illustrative purposes only.
- Date modified: