03.Phishing and networking
Threat 4: Phishing
Victims are tricked into revealing personal details through ‘social engineering’, deceptive emails and fake websites that look just like the real thing. Major banks have been targeted, with fake emails leading consumers to websites that capture passwords and account details. Phishing has been around for at least five years but is still going strong. Criminals can even buy ‘Phishing attack kits’ over the internet. New types of phishing include:
- Pharming The collection of personal information en masse via fake websites carefully crafted to appear genuine.
- SMiShing Uses mobile phone SMS (text messages) to phish for information.
- Vishing This uses voice over internet technology.
- Spear-phishing Victims receive an email that seems to be from a trusted source, such as their employer’s IT department, asking for personal information or a password confirmation. One of the latest examples of this social engineering is where people receive an email saying they’ve been subpoenaedto attend court —when they open the attachment for more details, malware is installed.
What to do
Be wary of emails with links to websites such as banks, eBay, employment sites, PayPal –- really any site asking for personal or financial information. Banks don’t ask for personal details via email. Some links aren’t what they appear –- type the correct website address into your browser, rather than clicking on links.
Threat 5: Social networking sites
Consumer Affairs Victoria says the craze for social networking sites (like Facebook and MySpace) has led to a new generation of scams. Spammers are using Facebook to spread unwanted links to online shops, bogus lotteries and financial scams. The Privacy Commissioner sees social networking websites are one of the greatest challenges to online privacy.
“My office found that many people, particularly youth, tend to treat sites such as MySpace as a diary and think, for example, that only close friends are reading it, when this is often not the case,” the Privacy Commissioner says. “Identity theft may not necessarily involve the theft of your money, but others getting your details and logging into your social networking page and vandalising it or sending out messages in your name.”
What to do
Use settings that keep your details private, and restrict the details you post online. Recently, the dates of birth of Facebook members were published on the internet, after a programming flaw (which has since been fixed). The Australian Federal Police says such sites are a fertile ground for harvesting identity information. It warns of the risks of putting up details like your date of birth and photos and encourages members to ensure that people they’re interacting with are genuine ‘friends’.
Threat 6: Web 2.0
This term describes the internet’s evolution to a phase of increased information sharing and collaboration among participants. Its features include user-generated content, blogs, social networking and wikis. But Web 2.0 brings new risks. Some websites don’t have adequate security systems to prevent users from inserting malicious coding into web pages, exposing all site visitors to the risks.
Google says user-contributed content is one of the four most prevalent mechanisms used to inject malicious content into popular websites. Security experts are also concerned. “Blogs and wikis create the perfect environment for fraud attacks,” says Nick Ellsmore of IT security company SIFT. Graham Ingram of AusCERT agrees. “If we can’t secure what we have now, what will happen with Web 2.0?”
What to do
Think twice before following the links from blogs and user-generated content. Sites that allow anonymous posts are often riskier. CHOICE Online allows anonymous posts, but not links embedded in the text.