Have you ever thought of losing something and you cannot live without it? Yes, that something can be your identity. Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

Amongst the financial crisis, phishing might be on the rise because for many organizations information protection might be the last thing on their mind. The FDIC has created a webpage to inform and warn consumers about “phishing.” These days phishers have targeted social network organizations LinkedIn and Facebook where their members have been duped into revealing their sensitive data.

Mainly phishing attacks are targeted to steal the identity. Now the question is, how easy it is to steal somebody’s identity? Let’s say a phisher has your name and address, and then he/she can get your Social Security number with the search on AccurInt or other personal database website. A Social Security number is not the only bounty a fraudster can find on these websites, other personal/private information is available as well at minimal cost.

In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.

12 Phishing Threats & Countermeasures

Threats Countermeasures Comments
Lack of communication policy for customers Build a standard communication policy Don’t send email in HTML, Don’t send an attachment, Don’t include personal info., Don’t use hotlinks
Spoof email Two factors Auth (Sender Policy Frame work, Sender ID, Domain keys) To stop email and IP spoofing
Scripting email No scripting email This will disable Java Script, Active x and Visual Basic attacks.
Weak user/client Authentication Two factors user Authentication Type1:Something you know Type2:Something you have Type3:Something you are
Click on the phisher’s email Don’t click on the phisher’s email. Type URL into web browser yourself Link may look real, true destination can be masked though
Responding to email where phisher’s request for personal/financial info. Don’t respond to phisher’s email, pick up the phone and verify from the institution in the email Use the phone # in your contact folder not in the phisher’s email
Not a secure link – (http://) To secure your information always use a secure link – (https://) for sensitive info. Be aware phisher may use (https://) always check the address line
No spam filter on your PC Install spam filter on your PC To filter out the spam which is not caught by gateway, fine tune for false positives.
Unused accounts Closed all unused accounts It is possible to get the account name and change address
Physical security Encrypt your personal folder To protect your personal and private information
Keyboard spywares and Trojans Remove spywares and Trojans Spywares can be used to sniffed personal information
Un-patched web browser Ensure your browser is up to date on security patches Phisher may exploit weaknesses in the browsers
Never bother to check the credit report To identify warning signs, check credit report regularly www.equifax.com www.experian.com www.transunion.com

Organizations should take necessary steps to protect against identity fraud and apply whatever state and federal legislation applies to your business. Organizations which are serious about their information security should consider implementing the ISO 27001 (ISMS) standard as a best practice, which provides reasonable due diligence to protect and safeguard your information.

US Bank phishing attack exposed


(Free Two-Day Shipping from Amazon Prime). Great books