Anyone with an e-mail account, has at some point of time received phishing or scam e-mails. These range from Nigerian Princes to Local Banks requesting funds, assistance and so on. Some of these e-mails may be legitimate (sans the Nigerian prince), however most of these are a common technique known as phishing. Phishing scams are used by fraudulent scammers to get your personal information such as credit card details, username password, banking details and so on.
A friend of mine recently received an e-mail from his bank informing him that “his account was accessed from a blacklisted location and he should update his account information to avoid termination of services”. On opening the link, it presented him with an identical login form of the banks net-banking portal. Only this form asked for information such as Corporate ID, User ID, Login Password, Transaction Password, Mobile Number, Email Address and Email Password.
Anytime you receive such e-mails, you should keep the following in mind:
Banks will never ask you to provide account or other personal identification information via email.
Banks will never ask you to click a link in-order to keep your account open.
Banks will never threaten to take immediate action unless you perform an act such as clicking a link etc.
Banks will never ask you to login with your e-mail account username & password.
Today, these sort of attacks commonly take place against e-mail accounts, social networking accounts and even targeted attacks against corporate users.
Here are 5 simple ways one can take to avoid becoming a victim to any such phishing attacks:
1. Avoid clicking links in phishing or scam mails and instead manually type them in a browser
Scammers often use links such as “baank.com” instead of the legitimate website “bank.com”. So it is recommended that you should manually type in the website link in the browser as opposed to clicking links in the email.
In the case where the e-mail seems urgent, you can always call the bank and confirm whether the e-mail was really sent by them.
2. Check the sender address in the phishing or scam mails
Scammers usually send phishing mails from addresses like “[email protected]” or “[email protected]”. So we can easily identify a phishing mail by making sure that the email received is from a legitimate sender.
You can refer to any previous e-mails sent by your bank and cross-reference the address in the suspicious e-mail.
3. Verify SSL (https://) authenticity on phishing or scam links
Generally, phishing links either have no SSL or use an invalid SSL certificate. This can be verified by simply viewing the link in the address bar of your browser and check if it starts with https:// instead of http://.
If the SSL certificate is not valid, then your browser will immediately show an error, in which case you need to stop browsing the link and report the e-mail to your bank.
Example of SSL certificate error in Firefox, Chrome and Internet Explorer are shown below:
4. Avoid replying with sensitive information to phishing or scam mails
Banks will never ask you to provide account or other personal identification information via email. Any email enforcing you to do so is most likely not legitimate and should be reported to your bank.
Banking details and login credentials should be communicate via telephone or through the legitimate website using proper SSL communication.
5. Keep your anti-virus up-to-date to detect and block phishing or scam mails
Most antivirus vendors have signatures that protects user against some common phishing attacks. Hence it is recommended that your anti-virus is kept up-to-date so that it would have the latest signatures and rule sets.
Also, it can prevent things such as a Trojan disguising your Web address bar or mimicking an https secure link. If your antivirus software is not up-to-date, you are usually more susceptible to attacks that can hijack your Web browser and put you at risk for phishing attacks.
Security Brigade a CERT-In empanelled founded on the core belief that "Great audits are done by great auditors - not expensive tools". Our proprietary E.D.I.T.E platform provides a workflow based testing engine that encapsulates the complete audit process. It allows expert auditors to focus on in-depth manual testing while assisted by a combination of proprietary, open-source and commercial technology.