Latest News

It sounds like an innocent pastime for a summer afternoon, usually undertaken by men who’d rather catch trout in a muddy canal than talk to their nearest and dearest. The spelling makes it look like a joke – maybe a novelty children’s snack, or some trick skateboarders are doing this month. But phishing is serious – and if you’re not sure what it is, you might wind up as the fish, not the angler.

Phishing as an attempt to steal a user’s account information by sending them a plausible looking email that contains a link to a related web site, where they are requested to enter their account details. Although some attempts to do this are clearly bogus – the messages look and read too much like spam mail to be believable – many are not. And faking a web site is, if not child’s play, certainly not beyond the well-motivated and moderately educated late teenager.

If that all sounds implausible to you, a list of recent large organisations whose customers have been targeted may change your mind: Barclays, NatWest, Lloyds TSB, eBay, Visa, Citibank and Amazon. Contrary to popular cliché, crime does pay, and we hope this article will help you to avoid helping to underwrite it.

Phishers typically send an email to customers asking them to log on to the site for a security update. This is an example of the type of cybercrime that is categorised as ‘social engineering’: playing on human weaknesses, vulnerabilities or concerns to lead people into behaviour that breaches sensible security precautions. If you think your bank or online merchant is taking steps to improve its security, why wouldn’t you want to help?

According to web site www.anti-phishing.org, some 20 per cent of people who receive these emails respond to them, clicking a link to a web site that – like the email that sent them there – can look all too convincing. Malicous attackers can copy web sites by adding specific digits to a web address, allowing them to run a copied site over their own servers that looks identical to the genuine one. (It doesn’t help that Microsoft’s Internet Explorer has a loophole allows phishers to obscure the name of a bogus website and make it appear to be legitimate to all but a vigilant and educated eye. How suspicious would you be of http://ibank.barclays.co.uk%01%01%01%01%01%01%? Another trick has also come to light: redundant information can appear in front of the URL. (This technique was originally intended for automatically passing a username and password to a web site, but is now rarely used.), We’re not trying to pretend we’re Lloyds Bank, but at first glance whose web site do you think the following link will open? Until a recent browser update from Microsoft an address like http://www.lloydstsb.co.uk@www.powernet.co.uk would see you at the Powernet site and not LloydsTSB as you may have expected.

So how do you make sure you can always wriggle away from the phishers’ hooks? Some will be obvious – if you don’t have an account with Barclays, you won’t respond to the email. Even where you do have an account, some of these messages will be easy to spot. They are generally addressed to 'Dear valued customer', but never actually to you personally 'Dear Mr.Smith’. (The phishers would need to already have access to the bank’s customer lists to be able to do this.) Banks and other major online traders usually take care to proof read their communications very carefully – if the email contains spelling errors or grammatical blunders, then think twice.

More importantly, a major financial institution is unlikely to use e-mail as a means of asking you to visit their web site and enter confidential security details: as security conscious organisations, they will tend to use traditional mail only to an address previously notified to them. If you’re unsure, contact your bank and ask them if they are currently doing such a security update. (With the proliferation of call centres in banking operations, we’d recommend you visit the bank’s official site (type in the URL rather than following a link in an email) and use that to find an email address to send a query to.

And you don’t need to follow a link in an email to visit your bank’s website in any case: you can always just open a web browser and type in the correct URL. Is there anything on the web site about the need to update security? If the bank really was asking all its customers to confirm their online banking details, it’s unlikely their web site would fail to mention it.

Phishing is just another example of how crime is following business onto the Net, and another illustration that while the Net may have changed human interaction, it hasn’t changed human nature. Where there’s a sea, there will always be pirates.