June 5, 2010 – The term “phishing” — as in fishing for confidential information — refers to a scam that encompasses fraudulently obtaining and using an individual’s personal or financial information. This is how it works:
- A consumer receives an e-mail which appears to originate from a financial institution, government agency, or other well-known/reputable entity.
- The message describes an urgent reason you must “verify” or “re-submit” personal or confidential information by clicking on a link embedded in the message.
- The provided link appears to be the Web site of the financial institution, government agency or other well-known/reputable entity, but in “phishing” scams, the Web site belongs to the
- Once inside the fraudulent web site, the consumer may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer’s mother or the consumer’s place of birth.
- When the consumer provides the information, those perpetrating the fraud can begin to access consumer accounts or assume the person’s identity.
If you suspect an e-mail or Web site is fraudulent, please report this information to the real bank, company or government agency, using a phone number or e-mail address from a reliable source. Example: If your bank’s Web page looks different or unusual, contact the institution directly to confirm that you haven’t landed on a copycat Web site set up by criminals. Also, contact the Internet Crime Complaint Center (http://www.ic3.gov/), a partnership between the FBI and the National White Collar Crime Center.
If you suspect that you have been a victim of identity theft, perhaps because you submitted personal information in response to a suspicious, unsolicited e-mail or you see unauthorized charges on your credit card, immediately contact your financial institution and, if necessary, close existing accounts and open new ones. Also contact the police and request a copy of any police report or case number for later reference. In addition, call the three major credit bureaus (Equifax at 800-525-6285, Experian at 888-397-3742 and TransUnion at 800-680-7289) to request that a fraud alert be placed on your credit report.
Pharming is an attack on personal information used over the internet. A user can be fooled into entering sensitive data such as a password or credit card number into a malicious web site that impersonates a legitimate web site. It is different than phishing in that the attacker does not to rely on the user clicking a link in an email to deceive the user. If the user correctly enters a URL (web address) into a browser’s address bar, the attacker can still redirect the user to a malicious web site.
How can you protect yourself?
Only use pharming-conscious or (PhC) web sites. A PhC web site uses a secure connection to prevent other web sites from impersonating it. PhC web sites typically use the HTTPS web protocol on their login page to allow the user to verify the web site’s identity. If an attacker attempts to impersonate a PhC web site, the user will receive a message from the browser indicating that the web site’s “certificate” does not match the address being visited. Users should NEVER click “Yes” in response to such a window because they may get deceived by a pharming attack.
On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) released an updated guidance on the risks and risk management controls necessary to authenticate the identity of customers accessing Internet-based financial services. The guidance, Authentication in an Internet Banking Environment, was issued to reflect the many significant legal and technological changes regarding the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies.
The growth of Internet banking and other electronic banking activities as well as the increased sophistication of threats to those environments have resulted in higher risks for financial institutions and their customers. An effective authentication system is crucial for the ability of financial institutions to comply with requirements in order to safeguard customer information. This system reduces fraud and the theft of sensitive customer information, which is often the precursor to identity theft, and promotes legal enforceability of financial institutions’ electronic agreements and transactions.
What is Multi-Factor Authentication (MFA)?
To access many online systems today, users commonly utilize an ID and password combination to identify (authenticate) themselves. This is considered “single factor authentication,” one of three basic “factors” used in authentication methodologies. The multi-factor program includes the following data:
1. What an individual knows — information that only a person knows (i.e. ID/ password, PIN, etc.).
2. What an individual has — something physical and unique a person possesses (i.e. token, smart card, ATM card, individual workstation computer, etc.).
3. What an individual is — a physical attribute unique to a person (i.e. a fingerprint, voice-print, eye-retina structure, etc.).
For additional information and resources regarding Identity Theft, please refer to the following Federal Trade Commission website. http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm