This is a copy of an article I wrote to be published in a local Arabic newspaper. (It, of course, will be translated.)
###Phishing
Have you ever received an email claiming to be from a banking or financial institution that looked something like this? “Attention bank customer. We recently noticed suspicious activity on your account. Please login to our website immediately to inspect the suspicious activity. If you do not login within 24 hours, we will suspend your account until we can investigate further. Please click here to login.”
If you have, you were likely targeted by a common internet scamming technique called “Phishing.” A phishing attack is when a hacker sends an email to a group of people and convinces them to send him sensitive information, like the password they use for their bank account. Phishing attacks are very common and good ones can be extremely hard to notice. Sometimes even a trained professional can be tricked by a phishing attack!
Let’s say a hacker wants to perform a phishing attack to try and steal the usernames and passwords of bank customers. First, he’ll build a website that is made to look exactly like the bank’s. When a user tries to login, he receives an error message, but his confidential username and password is sent directly to the hacker. After he has the website built, he will put together an email like the example above. The email will usually include a link to his fake website.
Next, the attacker simply sends this email to as many Qatar-based email addresses as he can find. If any of the people who receive the email are customers of the bank presumed to be the sender, they might read the email, click on the link, and try to login. Of course, the website just emails the hacker that person’s login information, and then he goes to the real bank website, logs in, and starts transferring money to a different account in or outside of the country.
When it comes to phishing attacks for financial institutions, it’s easy to protect yourself if you follow three simple rules. First, never send your password or bank account information to anyone over email, even if a message from your bank asks for it. If your bank needs that sort of information, they can get it from their records, they don’t need you to email it to them. Second, never click on a link in an email claiming to be from your bank. The link could go to a fake version of your bank’s website. If the email tells you to “click here to login,” don’t. Instead, go to the bank website the way you usually do in your web browser and login there. By not clicking on the link, you won’t go to the fake website. Finally, if you get an email that claims to be from your bank and you don’t know what to do, call them and ask them to verify it. If a bank employee on the phone can’t verify the email, then assume the email is fake and disregard it.
By taking the above precautions, you can defend yourself against a common internet scam: Phishing.
10 October 2011