|
Phishing Guidlines s
Step 1:
Protect your desktop
Keep your system up-to-date. Use automatic updates for fixing security
vulnerabilities. Use anti-virus and anti-spyware with live updates. If you know
how to use a personal firewall install one as well. Keep your system settings at
a protected level, to disable automatic execution of unknown applications.
Step 2: Use only reputable applications
Many Internet scams might install themselves installed on your machine as part
of legitimate applications. Therefore, before executing or installing new
applications make sure that the applications are safe. Never execute an
application that was received from unknown entities. If you received an
application from someone you know confirm with the sender that it is safe and it
was sent by him and not by others using his address. When an application
automatically tries to execute itself and you are asked to confirm, be
suspicious and if you are not sure don't confirm the execution.
Step 3: Protect yourself from submitting
personal and confidential information to scammers using CallingID for the
Internet
CallingID automatically detects phishing scams in real-time using 52
verification tests. In addition, it automatically provides you with valuable
information: who owns the site you visit and is this owner a real organization.
When you see that the entity that will receive your data is different than you
expected or that there is a potential risk sending information to that site, you
should rethink. CallingID provides all the required information for you to
decide if it is safe submitting personal and confidential data to a site before
the data is submitted.
Myth 1:
Educated users can detect that an email is phishing
Over the last year, as awareness about phishing has increased, people have
improved their phishing detecting skills . However the problem still exists.
Percentage of victims is lower than a year ago but when the messages are so
professional and since they look like the real messages we all receive now and
then, they are easily considered genuine.
A few samples:
|
Phishing is most successful among people over 65. Many of these people trust
messages they received unquestionably. |
|
Messages showing familiar personal details such as real address users' names
of family members, employer or a co-worker etc. are perceived as legitimate.
Many people respond to questionnaires by providing personal details about
their employment or family members. These details may later be used as
personalized phishing "bait". |
Messages that relate to an
action recently taken, such as bidding in an auction and loosing the bid, may
instigate sophisticated phishing messages offering the same item at the same
bidding price.
Myth 2:
Spam filters and anti-phishing filters can detect phishing messages
Spam filters and anti-phishing filters can reduce the number of phishing
messages but cannot stop them. Filtering personalized messages requires complex
technologies and the scammers are usually one step ahead of the filters.
Myth 3: Using lists of phishing URLs can
automatically protect users from phishing
The use of phishing URLs lists helps when a user tries to access a site which
has already been detected. There are two main problems with this approach:
|
It
takes time to detect a phishing site and to update the list. During that
time users are exposed to phishing attacks from the site. Since the lifetime
of a phishing site is short (most sites disappear within 24 hours) a delay
of a few hours in detecting a site enables it to trap phishing victims. |
|
Most
of the sites are not detected within reasonable time. Every day more than
400 new phishing sites appear, many of them in places difficult to monitor.
Good lists detect 150-200 new sites daily. |
Myth 4:
The site is responsible for protecting its users from phishing
Although sites have liability to protect users when they log into their account
on the web the site is not responsible for direct losses when users did not take
reasonable steps to protect themselves and it is never responsible for indirect
losses. The users must protect themselves. Even if some direct money losses are
reimbursed - the bad personal feeling; the time and energy spent; reputation and
credit history rehabilitation make it a traumatic experience.
Myth 5: All anti-phishing solutions are not
effective
Most anti-phishing solutions are not effective. Only CallingID for the Internet
automatically protects users from becoming scam victims. This solution
automatically detects known phishing scams in real-time. In addition it
automatically provides the user with valuable information: who owns the site
receiving the information he submits and a confirmation that this owner is a
real organization. When the user sees that the entity receiving the information
is different than expected or that there is a potential risk in sending
information to that site he should rethink. CallingID provides all the required
information for the user to decide whether it is safe submitting personal and
confidential data to a site before the data is submitted.
Myth 6:
The site is not responsible when users become Internet scam victims
Although sites put disclaimers that move the responsibility to the users, US
Federal Deposit Insurance Corporation (FDIC) announced two recommendations for
financial institutions that enable their customers to manage their bank account
through the Internet, transferring the liability to the institution. A June 2005
recommendation for implementation of a reliable form of authentication when
customers access their account online. If an institution offers retail customers
remote access to Internet banking or any similar product that allows access to
sensitive customer information, the institution has a responsibility to secure
that delivery channel. Specifically, the widespread use of user ID and password
for remote authentication should be supplemented with a reliable form of a
layered security so that the security and confidentiality of customer accounts
and sensitive customer information are adequately protected. A July 2005
recommendation suggests that they mitigate the risks associated with spyware:
"financial institutions should consider all risks to private customer
information and take appropriate steps to mitigate those risks."
The recommendations can be found at
http://www.fdic.gov/news/news/financial/2005/fil6605.html
and
http://www.fdic.gov/news/news/financial/2005/fil6605.html.
Myth 7: Token authentication and shared secrets
protect against Internet fraud attempts
One-time passwords used by two factor authentication (token) solutions and
shared secret solutions are exposed to man-in-the-middle attacks. When a
phishing site acts as a proxy during the login process, the user cannot tell the
difference between the real site and a phishing site. The phishing site
transmits to the user's machine the exact same data that the real site sends.
When data is entered by the user it is transmitted to the real site with minimal
delay. Once the login to the account is completed the operator of the phishing
site can take control and transfer money from that account while logged in with
the identity of the victim.
Myth 8: Client based anti-spyware and anti-phishing
solutions can protect against Internet scams
Anti-spyware solutions provide limited protection. They protect against many
common spyware and Trojans, however, they cannot detect key-loggers and screen
captures in real time. Phishing attempts also have many variations including DNS
spoofing which is very difficult to detect. Only a client and server combination
can protect the user.
Myth 9: The only viable solution for safe
login to a web account requires changing the login process
Any change of login process is problematic for the user. If a site is registered
as Safety Seal verified, the user continues using the same username and password
and is well protected against all known Internet scams including phishing,
pharming, spyware and Trojans.
| ![[Company Logo Image]](images/logo.gif){kind=logo}
Data
Forensics Engineering
