• News
  • Columns
  • Interviews
  • BW Communities
  • Events
  • BW TV
  • Subscribe to Print
  • Editorial Calendar 19-20
BW Businessworld

The Phish Are Biting

Photo Credit :

Earlier this year, i had the frightening experience of being completely locked out of my Gmail account. The cause of the problem was evidently not on my computer, as one couldn't log in from anywhere. I would just get the login screen back with my id entered and a blank password box minus any alerts. Strangely, I could get into the settings and change my password — which I did several times over for no particular reason. Google's fix-it-yourself options didn't include whatever was ailing my e-mail account.

Eventually, I reached the Google people. They were fantastic, and handed the account back to me in a couple of days. What happened, I will never know. The incident was ugly enough to scare me into cyber-sensitivity. I'm so scared of a phishing attempt that even if I spot a well-meaning warning, I cold-stop my PC and head for the nearest air raid shelter. Not that turning off your PC is going to help. By then it's too late — just as it has been for thousands of e-mail users in the recent few weeks. Hackers got to Hotmail, Gmail and Yahoo accounts of over 30,000 users, and got their ids and passwords and posted them on a site, where hackers share information. Spam from accounts, according to security firm Websense, has increased hugely from these e-mail providers. The spam, again, tries to lure users to click on links to get to shopping and other sites.

Another thing that happened on the phishing scene was that the FBI recently charged 100 people in what is said to be the largest phishing scam ever. Among them were Egyptians and Americans. The scam has been going on for two years, and was evilly focused on obtaining bank account numbers and defrauding banks and their customers of money.

Obviously, it's critical to be alert and informed. But today, phishing and other malicious activities have become so complex and sophisticated that it's almost impossible to stay ahead of the curve. Even for the FBI, apparently. Still, it's best to follow a few universal rules. One of these is not to click on a link in an e-mail or an "unaccompanied" chat message. It could take you straight to a payment, banking or shopping site that looks real enough but isn't. You're asked to verify details and give information; you get fooled or "socially engineered" into it — and phishers can then get to your money.

When you need to get to a site, do so separately from your browser, typing in the URL. Be aware of the URLs of your bank and other sites you carry out transactions or leave information on. A misspelling or anything else unusual should alert you to trouble. Hover your mouse over the link to see the URL. No bank or service worth its salt will ask you to give important information online, that too after addressing you as "Dear Valued Customer". But malicious mail and sites are getting smarter and look genuine. There are even ways to make the URL look genuine. So it's tough to rely only on recognising the site.

The recent stealing of passwords and IDs may have been through key logging — a dirty trick to record every keystroke you make. This can be done in various ways including slipping sneaky software on to your computer to work at it. The cleverness of threats means you need to have legal software.

Operating systems need to be updated, and so do e-mail programs and browsers. These will give you alerts when you're at a dangerous site. You also need a proper suite of security software that includes anti-virus, anti-spyware and firewall.

Now, because of the recent incidents, there's a lot of information put out on phishing. The BBC has an excellent list of frequently asked questions (FAQ) on the subject. I would also highly recommend checking out a CNet interview with Marian Merritt, Symantec's security advisor, giving tips on what you can do to stay secure, and a site that she recommends:

Security experts are now saying what they have never said before: create a strong password, and write it down offline. Change your password frequently. They are also recommending that parents talk with their children and warn them what to be careful about.

We tend to think phishing and scams affect only individuals online. But they impact the brand that is targeted — banks, pharma companies, shopping portals, and even security providers themselves. Services such as those offered by provide solutions for online brand protection. For companies with a large Web presence, it may be worth registering at MarkMonitor, and checking out their resources, white papers and "Brandjacking index" reports.

The author is editorial director at Mindworks Global Media Services. [email protected]

(This story was published in Businessworld Issue Dated 26-10-2009)