You receive an official-looking e-mail that says your bank is concerned about attempts to access your online bank account using an incorrect password, and that it needs you to verify your information. You click on the link (conveniently provided), and what looks like a bank website appears in your browser. You enter your user name and password. Then, a few weeks later, transactions you know nothing about start appearing on your bank or credit card statement. What happened?
“The short answer is that you fell for a phishing attack”
What are phishing scams?
Phishing is a technique in which criminals try to trick people into disclosing their sensitive information, particularly online banking login information and is often, but not always, conducted through specific targeted spam e-mails that link or direct people to a bogus website.
Assuming you don’t spot the deceptive email and do click on the fraudulent link, what happens on the fake website that allows the bad guys to defraud you?
There could be two possible types of scenarios:
In the first scenario is that you are directed to a fraudulent website that attempts to install malicious software silently in the background onto your computer: provided you are not using a portable device or you don’t have a good anti-virus/anti-spyware program. This software could then potentially listen in and record all of your keystrokes including your username and password that you use to login to do your online banking.
Or in the second instance, you are directed to a fraudulent website where it typically asks you to enter your user ID and password for the legitimate website you think you are looking at (again, note that the fake phishing site may be a perfect copy of the real site that it is masquerading as). When you enter the information, the fake site captures and stores it.
The phishers can then use the information to get access to your account. Or – as often happens in today’s increasingly sophisticated computer crime world – the phishers who specialize in gathering such information simply sell it to others who specialize in using it to defraud people.
Normally, once the phishing site has captured your information, it can simply show you an error message that claims your login failed. Some sites will then shunt you to the legitimate website of the company the phishers are impersonating, where you will try again and log in successfully, suspecting nothing other than a little slip of the fingers when entering your password. With others, you’ll just keep getting the error message until you give up.
The end result can be anything from a few illegitimate charges against an account to wholesale identity theft.
What are some ways people can protect themselves from these scams?
- First thing is to ensure you have a good and reliable anti-virus or anti-spyware program on your computer. Most of the good ones will often alert you if inadvertently click on a link in your email and your web browser ends up on a malicious website.
- Be suspicious of any e-mail or even text messages containing urgent requests for personal or financial information (financial institutions and credit card companies normally will not use e-mail or texting to confirm your personal information).
- Never e-mail personal or financial information to anyone.
- Avoid embedded links in an e-mail claiming to bring you to a secure site.
- Get in the habit of looking at a website’s address line and verify if it displays something different from the address mentioned in the email.
- Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. There are some financial institutions that can now notify you via email every time there is a purchase associated with your bank account providing that extra level of security. So something you can check into with your bank.
Are there any online resources people can check with to help educate them on this hot topic?
Yes, for sure. The RCMP has dedicated a page that deals with phishing scams including some helpful facts, examples, and contact information for anyone interested in further following up on this topic. I’ve shortened the address to make it easier to remember and it is: http://tiny.cc/phishing.
Resources:
- Canadian Anti-Fraud Centre
- Public Safety
- Canadian Bankers Association
- Visa
- Mastercard
- American Express
- CIBC
