Introduction Here's a quick update on 'phishing', something that you may have read about, and hopefully not yet encountered. While it does not apply to our work environment - i.e. all our internal software and processes are safe, you may be affected by phishing when you enter into on-line transactions. It is good to know what this is and how to protect oneself. So please read on ... What's phishing? How to be safe? Phishing scams have rocked Internet users for some time now. But phishing attacks especially intensified in 2004, making them a very serious emerging threat that rides on the surge of e-commerce and e-banking transactions through fraudulent means. What is phishing? Phishing means sending an e-mail that falsely claims to be from a particular enterprise (like your bank) and asking for sensitive financial information. Phishing is sending out a 'bait' in the form of a spoofed e-mail that closely mimics most bank notifications. The fraudulent mail is socially engineered to convince recipients to divulge sensitive information such as credit card numbers, PIN, social security numbers and some such information. Some phishing mails include a legitimate-looking URL that actually conceals the phishing URL, or the site where the stolen information is stored, while some include an image, which when clicked, directs the affected user to the phishing site. There are ways to 'spoof' an e-mail so that it appears to have come from someone other than the person who is actually sending it. An e-mail can be spoofed by tweaking the settings of e-mail clients like Outlook Express, Netscape Messenger and Eudora. E-mail spoofing is a popular way of scamming on-line. How to be safe: Here are the ways in which you can keep yourself safe from phishing scams: Be wary of e-mail messages that ask for personal or financial information such as user names and passwords, credit card numbers, and other sensitive personal information, especially those that are alarming and upsetting in tone. Do not click any links inside an e-mail that is suspected to be spoofed. Instead, go directly to the valid company's site then log on from there or call the company directly. Ensure that any Web site visited is secure when submitting sensitive information such as credit card numbers. One indication that a Web address is secure is if it starts with https:// rather than http://. Another indication is a padlock icon at the bottom of the screen, which when clicked, displays a security certificate. Ensure that your browser is up-to-date and security patches are always promptly applied. For IE (Internet Explorer) browsers, a special patch relating to certain phishing schemes can be downloaded at http://www.microsoft.com/ security/. Avoid opening any file attachments of suspected phishing e-mail messages as it might execute a 'malware' programme that can steal personal information. Consider installing a browser extension such as SpoofStick which can help detect a spoofed Web site. This utility is available at: http://www.corestreet.com/spoofstick/ Consider installing security software such as those offered by anti-virus specialists, which can help detect malware programmes (antivirus), filter spam (spam filters), and/or ensure secure Internet usage (firewalls). These kinds of software can help pre-empt any damage to your system and can help protect you from hackers and scammers alike. Knowledge is still the best protection from getting scammed. It is important to educate oneself on Internet fraud. There are several Web sites dedicated to giving free education regarding Internet fraud. If you receive any suspicious e-mail but are unsure of what to do, please contact the nearest IT Manager! How to find out if an e-mail is genuine However, finding out whether an e-mail is genuine or not is not very difficult. Every e-mail message contains headers that have the following information: Origin, which shows information about the machine that sent it, Relay, which shows the sender machine relaying it to another, and Final destination, which shows the machine that receives it, the IP address and the domain name. Check out this URL: http://www.lse.ac.uk/itservices/help/e-mailheader.htm for an example of what the different things in an e-mail header mean. By learning how to identify what the header components are you can distinguish whether an e-mail is genuine or spoofed. Most phishing attacks from targeted Citibank, covering a little more than half of the entire phishing incidence recorded. Citibank has banking, lending, and investment services worldwide making it a prime target for these types of attack. US Bank, one of the largest financial services holding companies in the United States, comes in second in the list of most targeted banks, with 21 per cent. Suntrust (one of the largest commercial banking institutions in the US) and Ebay (an international on-line "marketplace") are next on the list with 10 per cent and 8 per cent, respectively. A legitimate financial institution will never ask for details of your account via an e-mail. You must never e-mail financial information over the Internet as it is not a secure method for transmitting such sensitive information. You must also not divulge any sensitive personal information, whatsoever, on-line or by email or on MSN Messenger/Yahoo Messenger or by whatever other means. In case of any further concerns and queries about this, please let me know. Thanks.