What's phishing? How to be safe?

Discussion dans 'Support informatique' créé par isitien, 15 Novembre 2005.

  1. isitien

    isitien Bannis

    J'aime reçus:
    28
    Points:
    0
    Introduction


    Here's a quick update on 'phishing', something that you may have read
    about, and hopefully not yet encountered. While it does not apply to our
    work environment - i.e. all our internal software and processes are safe,
    you may be affected by phishing when you enter into on-line transactions.
    It is good to know what this is and how to protect oneself. So please read
    on ...


    What's phishing? How to be safe?

    Phishing scams have rocked Internet users for some time now. But phishing
    attacks especially intensified in 2004, making them a very serious
    emerging threat that rides on the surge of e-commerce and e-banking
    transactions through fraudulent means.

    What is phishing?

    Phishing means sending an e-mail that falsely claims to be from a
    particular enterprise (like your bank) and asking for sensitive financial
    information. Phishing is sending out a 'bait' in the form of a spoofed
    e-mail that closely mimics most bank notifications. The fraudulent mail is
    socially engineered to convince recipients to divulge sensitive
    information such as credit card numbers, PIN, social security numbers and
    some such information.

    Some phishing mails include a legitimate-looking URL that actually
    conceals the phishing URL, or the site where the stolen information is
    stored, while some include an image, which when clicked, directs the
    affected user to the phishing site. There are ways to 'spoof' an e-mail so
    that it appears to have come from someone other than the person who is
    actually sending it. An e-mail can be spoofed by tweaking the settings of
    e-mail clients like Outlook Express, Netscape Messenger and Eudora. E-mail
    spoofing is a popular way of scamming on-line.

    How to be safe: Here are the ways in which you can keep yourself safe
    from phishing scams:

    Be wary of e-mail messages that ask for personal or financial information
    such as user names and passwords, credit card numbers, and other sensitive
    personal information, especially those that are alarming and upsetting in
    tone.

    Do not click any links inside an e-mail that is suspected to be spoofed.
    Instead, go directly to the valid company's site then log on from there or
    call the company directly.

    Ensure that any Web site visited is secure when submitting sensitive
    information such as credit card numbers. One indication that a Web address
    is secure is if it starts with https:// rather than http://. Another
    indication is a padlock icon at the bottom of the screen, which when
    clicked, displays a security certificate.

    Ensure that your browser is up-to-date and security patches are always
    promptly applied. For IE (Internet Explorer) browsers, a special patch
    relating to certain phishing schemes can be downloaded at
    http://www.microsoft.com/ security/.

    Avoid opening any file attachments of suspected phishing e-mail messages
    as it might execute a 'malware' programme that can steal personal
    information.

    Consider installing a browser extension such as SpoofStick which can help
    detect a spoofed Web site. This utility is available at:
    http://www.corestreet.com/spoofstick/

    Consider installing security software such as those offered by anti-virus
    specialists, which can help detect malware programmes (antivirus), filter
    spam (spam filters), and/or ensure secure Internet usage (firewalls).
    These kinds of software can help pre-empt any damage to your system and
    can help protect you from hackers and scammers alike.

    Knowledge is still the best protection from getting scammed. It is
    important to educate oneself on Internet fraud. There are several Web
    sites dedicated to giving free education regarding Internet fraud.

    If you receive any suspicious e-mail but are unsure of what to do, please
    contact the nearest IT Manager!

    How to find out if an e-mail is genuine

    However, finding out whether an e-mail is genuine or not is not very
    difficult. Every e-mail message contains headers that have the following
    information:

    Origin, which shows information about the machine that sent it,
    Relay, which shows the sender machine relaying it to another, and
    Final destination, which shows the machine that receives it, the IP
    address and the domain name.

    Check out this URL: http://www.lse.ac.uk/itservices/help/e-mailheader.htm
    for an example of what the different things in an e-mail header mean.

    By learning how to identify what the header components are you can
    distinguish whether an e-mail is genuine or spoofed.

    Most phishing attacks from targeted Citibank, covering a little more than
    half of the entire phishing incidence recorded. Citibank has banking,
    lending, and investment services worldwide making it a prime target for
    these types of attack. US Bank, one of the largest financial services
    holding companies in the United States, comes in second in the list of
    most targeted banks, with 21 per cent. Suntrust (one of the largest
    commercial banking institutions in the US) and Ebay (an international
    on-line "marketplace") are next on the list with 10 per cent and 8 per
    cent, respectively.

    A legitimate financial institution will never ask for details of your
    account via an e-mail. You must never e-mail financial information over
    the Internet as it is not a secure method for transmitting such sensitive
    information.

    You must also not divulge any sensitive personal information, whatsoever,
    on-line or by email or on MSN Messenger/Yahoo Messenger or by whatever
    other means.

    In case of any further concerns and queries about this, please let me
    know.


    Thanks.
     

Partager cette page