Suppose you have an account in a bank named “Elite Bank”. One fine day, you get an email from the bank:
Subject: Account Status
We recently noted some suspicious activity on your account. Someone tried to login into your account which did not look normal. For your security, we have temporarily prevented access to your account. Elite bank safeguards your account when there is a possibility that someone other than you tried to sign on. You may be getting this message because you signed in from a different location or device. If this is the case, your access may be restored when you return to your normal sign on method. The details of the device and location of the attempted login are as follows:
Time: 12:25:44, 04 Apr 2015
If it was you who was trying to access the account, there is no action needed from your side, however if the device or location does not look familiar to you, we recommend to IMMEDIATELY change your password. Click here to change your password and secure your account.
You are instantly shocked to see this mail. You have not tried to recently login to the bank. Hell, you have never been to India in your life (as mentioned along the IP address). You are sure someone is trying to get into your account, so you instantly changed your password via the link provided in the mail.
A few days later, you notice some unauthorized/unrecognized transactions in your account accounting to large amount of money. Someone has used your account to purchase some online goods and/or transferred to some unknown bank account.
What went wrong?
What exactly happened there? You did your best to protect your account but in spite of that it got compromised. Let’s revisit our case from the start. When you received the email about the unauthorized access, did you validate the sender of the email? How did you know that it was the bank itself sending the email? The e-mail could have come from anyone pretending to be from the bank.
So, if you did not even look at the ‘From’ field of the email, you failed at step 1. Now, if you are a cautious person and looked at the ‘From’ field of the email before believing or responding, it is a good practice. However, even then you are in a danger. Suppose the ‘From’ field is somewhat like this:
From: Security Team <email@example.com>
The ‘from’ part of the email should end with the bank name or bank website. So in this case ‘@elitebank.com’ looks trustworthy. If it was something else, like a public email provider –Gmail or yahoo etc., you should instantly know it is a scam. However please note that even if the email does end with the correct sender like in this case, you should not believe that it is the bank email even though it appears so. Reason – it is an easy task for the hacker to forge an e-mail, i.e. sending a spoofed email pretending to be coming from a source which is not the original one. The hacker doesn’t even need to hack the bank website to achieve this. He can send email pretending to come from any email address- even your friends.
So, how do you find out whether this is the genuine sender? To be honest, for an average non-technical person, this is somewhat difficult. The best you can do is try to eliminate the obvious fake ones. For example, if the email is in capital letters, or has a lot of grammatical mistakes, most probably it is a scam. If an email passes all these filters and you are still in doubt, you should contact the person/bank directly through phone before responding to email.
The next mistake you probably did here is to click the link in the mail (for password reset) without verifying its authenticity. True, we are somewhat casual while browsing online but if you are a sort of person who clicks the links blindly without even knowing where you are going, it needs to stop. You should NEVER click the links from unknown sources. Like for example in this e-mail, the password reset link actually takes you to a fake website which is a replica of your bank’s website. When you try to reset your password, you end up giving up your existing credentials to the hacker. I will discuss this in detail later but for now understand that you have to careful while clicking links online.
What exactly is phishing?
Phishing is the most common way of getting your account compromised. Hackers who use phishing technique to scam are sometimes referred to as phishers. Using fake emails and crafty scams, phishers trawl the cyber high seas for your banking information, credit card numbers and passwords. Roughly 156 million phishing emails are sent globally every day, so even if a fraction fall for the scam, phishers score big. Here are some stats:
Number of phishing mails sent everyday: 156 million
Number of mails bypassing the spam filter: 16 million
Number of phishing mails opened by users: 8 million
Number of people falling into such trap everyday: 80,000
Phishing is basically a two-step process:
- First, the hacker chooses a target method, say banking website. What the hacker would do is create a fake duplicate website of your bank which will look exactly similar to original. The only difference being that any information you give at the duplicate website goes to the hacker instead of your bank, including your bank password.
- Second the important part is to lure the user to go to fake website instead of the original one. They do this by sending fake mails appearing to be originating from the bank asking you to click the link for any xyz reason. When you click that link, it takes you to the fake website and anything you type there, for example to login you would enter the username and password, all that information goes directly to the hacker. He can then later use your credentials to login into your bank and perform fraudulent transactions.
The second part is more difficult part for a hacker than the first one. You may wonder why you will just click on anything from inside an email. Sometimes, they disguise it so well that even the smartest fall for it. It all depends on creativity of the hacker and awareness of the user.
Let me give you another example of phishing –
You have an account on Gmail and one day you get an email from Gmail’s support team that your account is locked and you need to login again to enter some security questions etc. Firstly, any such email should be seen with suspicion. Remember out previous discussion regarding the authenticity of the sender. Now suppose you click the link from inside the email and are redirected to login to the Gmail page as below:
At the time of writing, this is very identical to the actual Gmail login page. How do you find out whether this is legitimate or a fake one? Well, one golden rule of thumb is to ALWAYS have a look at the URL address of the page you are visiting. So, if you look closely, the URL from the above image is something like:
If it was an original one, the URL would have been gmail.com or google.com or something similar, anything other than that is surely a fake one to trap you. Anything you type there is recorded and monitored by the hacker. In this case, I have created a fake phishing page on my personal website www.harshmaurya.in for demo purposes. If it was a real one by intended for malicious purpose, as soon as you enter your credentials, expecting to login, the username and password would be stored in some database owned by hacker and you will be sent back to Gmail so that you don’t even realize that something wrong has happened. In this case, it does not matter how strong or complex your password is, because you are entering it all at a place where all of it is being recorded, so the advice you get from everyone to have a strong password is not sufficient to keep you safe.
Another good practice to follow is to manually enter the website address in address bar of the browser rather than clicking links from anywhere, especially for banking websites. So if you want to go to your bank’s website, rather than clicking link from any email, just enter it manually on the browser’s address bar or if it is hard to remember, do a Google search for your bank’s name and visit the website from there. In fact many banking websites have made it compulsory for user to manually enter the address in order to access the website. This is a good thing from a security point of view.
Now let us revisit our angel acronym- HACK and see how it can be used in safeguarding you against phishing. Using C for Common sense, we can straightaway infer that the email is a fake. Why would Gmail ask us to login again to review security settings? We are already logged in, remember? In the banking email, we could have used our common sense to either call the bank directly since it was an important issue or at least refrain from clicking links blindly. Using K for Keep your eyes open, any phishing attack can be averted. As already mentioned, always have a look at the URL of the page you are visiting and keep your eyes open to any suspicious thing you notice.
There can be many variations to the phishing attack and not just limited to banking or Gmail/yahoo related. In the end, it all comes down to the awareness of the user and how easily he/she can get trapped. Let’s do a quick summary of what we learnt.
- Do not click links blindly while browsing online
- Any email can be forged easily. Always verify the authenticity of the sender
- Keep a look at the URL of the webpage you visit
- Use your common sense to filter out the obvious scam attempts.