Spear Phishing: Scam, Not Sport
The latest twist on phishing is spear phishing. No, it's not a sport, it's a scam and you're the target. Spear phishing is an email that appears to be from an individual or business that you know. But it isn't. It's from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC. Learn how to protect yourself.
Email from a "Friend"
The spear phisher thrives on familiarity. He knows your name, your email address, and at least a little about you. The salutation on the email message is likely to be personalized: "Hi Bob" instead of "Dear Sir." The email may make reference to a "mutual friend." Or to a recent online purchase you've made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for. And when it's a company you know asking for urgent action, you may be tempted to act before thinking.
Using Your Web Presence Against You
How do you become a target of a spear phisher? From the information you put on the Internet from your PC or smartphone. For example, they might scan social networking sites, find your page, your email address, your friends list, and a recent post by you telling friends about the cool new camera you bought at an online retail site. Using that information, a spear phisher could pose as a friend, send you an email, and ask you for a password to your photo page. If you respond with the password, they'll try that password and variations to try to access your account on that online retail site you mentioned. If they find the right one, they'll use it to run up a nice tab for you. Or the spear phisher might use the same information to pose as somebody from the online retailer and ask you to reset your password, or re-verify your credit card number. If you do, he'll do you financial harm.
Keep Your Secrets Secret
How safe you and your information remain depends in part on you being careful. Take a look at your online presence. How much information is out there about you that could be pieced together to scam you? Your name? Email address? Friends' names? Their email addresses? Are you on, for example, any of the popular social networking sites? Take a look at your posts. Anything there you don't want a scammer to know? Or have you posted something on a friend's page that might reveal too much?
Passwords That Work
Think about your passwords. Do you use just one or easy to figure out variations on just one? If you do either, you shouldn't, because you're making it easy for a scammer to get access to your personal financial information. Every password for every site you visit should be different, really different. Random letters and numbers work best. Change them frequently. Your Internet security software and operating system can help you keep track of your passwords.
Patches, Updates, and Security Software
When you get notices from software vendors to update your software, do it. Most operating system and browser updates include security patches. Your name and email address may be all it takes for a hacker to slip through a security hole into your system. And it almost goes without saying, you should be protected by Internet security software, and it should always be up to date.
If a "friend" emails and asks for a password or other information, call or email (in a separate email) that friend to verify that they were really who contacted you. The same goes for banks and businesses. First of all, legitimate businesses won't email you asking for passwords or account numbers. If you think the email might be real, call the bank or business and ask. Or visit the official website. Most banks have an email address to which you can forward suspicious emails for verification.
And always remember: Don't give up too much personal information online, because you never know who might use it against you. Or how.
Information in the article provided by Symantec
It has come to Bank of Nebraska's attention that customers may receive a fraudulent phishing (fishing) e-mail requesting debit card and personal information. This e-mail purports to be from MasterCard and requests that cardholders enroll in the "Verified by MasterCard SecureCode Program" immediately by clicking a link located within the e-mail. Please do not respond to this e-mail. It is not from Bank of Nebraska. MasterCard does not directly contact customers and ask for personal information, nor does Bank of Nebraska. If you receive such an e-mail, please contact us immediately. Here are some other tips to help you protect your personal information:
1. Never respond to any e-mail that asks for debit card and personal information, even if it looks legitimate, and do not click on links within an e-mail; instead, copy and paste the address into your browser. Note: By opening or viewing a preview of the e-mail or by clicking on the link within the e-mail, you may cause your PC to discretely download a virus or spyware.
2. Install spam filter and anti-virus software on your PC.
3. Ensure your PC is protected with a personal firewall.
4. Scan your PC regularly to detect and remove spyware.
5. Update your operating system and web browser software regularly.
6. Look to ensure "https://" appears in the web site address and that the security padlock icon appears on websites that request personal information.
7. Educate yourself of Internet fraud scams.
8. Regularly request and validate the accuracy of your credit report.
Pharming……..this isn’t plowing a field
First we had to worry about phishing (fishing) NOW we have pharming (farming). So much has been published warning people of the danger of replying to an email with a link attached to it that most people are extremely cautious and delete any strange looking email without even opening it up. But let’s discuss the new breed of cyberswindle, pharming. Pharmers redirect as many users as possible from legitimate commercial websites and lead them to malicious ones.
Pharming can occur in four different ways:
• Static Domain Name Spoofing: The pharmer (the person or entity committing the fraud) attempts to take advantage of slight misspelling in domain names to trick users into inadvertently visiting the pharmer’s web site. For example, a pharmer may redirect a user to anybank.com instead of anybank.com, the site the user intended to access.
• Malicious Software (Malware): Viruses and “Trojans” (latent malicious code or devices that secretly capture data) on a consumer’s personal computer may intercept the user’s request to visit a particular site, such as anybank.com, and redirect the user to the site that the pharmer has set up.
• Domain hijacking: A hacker may steal or hijack a company’s legitimate Web site, allowing the hacker to redirect all legitimate internet traffic to an illegitimate site. Domain names generally can be hijacked in two ways:
o Domain Slamming” By submitting domain transfer requests, a domain is switched from one registrar to another. The account holder at the new registrar can alter routing instructions to point to a different, illegitimate server.
o Domain expiration: Domain names are leased for fixed periods. Failure to manage the leasing process properly could result in a legitimate ownership transfer. In this instance, trade name laws usually must be invoked to recover lost domains.
• DNS Poisoning: The most dangerous instance of pharming may be domain name server (DNS) poisoning. Domain name servers are similar to internet road map guides. When an individual enters www.anybank.com into his or her browser, Domain Name Servers on the internet translate the phrase www.anybank.com into an internet protocol (IP) address, which provides routing directions. After the DNS server provides this address information, the user’s connection request is routed to www.anybank.com. Local DNS servers can be “poisoned” to send users to a web site other than the one that was requested. This poisoning can occur as a result of misconfiguration, network vulnerabilities or Malware installed on the server.
There are 13 root DNS servers for the entire internet, which are closely protected and controlled. Most requests are directed by the local DNS server before they reach a root DNS server. However, if a hacker were to penetrate one or more of these root servers, the internet could be severely compromised.
There are steps that you can do to prevent pharming attacks:
Digital Certificates: Legitimate Web Servers can differentiate themselves from illegitimate sites by using digital certificates. Web sites using certificate authentication are more difficult to spoof. Consumers can us the certificate as a tool to determine whether a site is trustworthy.
- Domain Name Management: Domain names must be registered and renewed timely.
- DNS Poisoning: Investigation anomalies about web sites to ensure that DNS poisoning attacks are addressed promptly. For example, if Anybank’s domain was hijacked, it would immediately stop receiving normal internet-related requests. The drop in Internet traffic should alert technology staff at Anybank to the problem, whit the staff should then investigate.
- Consumer Education: Internet banking customers should install current versions of virus detection software, firewalls and spyware scanning tools to reduce computer infections. These tools are effective only if you regularly do updates to combat new threats. Run your spyware weekly and delete anything that you are not totally sure of. Check your firewall logs.
- Make sure that anytime you connect to a web site that it is trusted and not a spoofed site. One way is to always look for the lock when utilizing a secure page.
- Bank of Nebraska’s domain name is and will continue to be reviewed, managed, and renewed. Our Internet Banking product has a digital certificate and is secure. We have a technology team that monitors our web site continually.
- Bank of Nebraska’s security policy is placed on our home page for our customers to read and feel confident that we will monitor all traffic to and from our web page.
If you have questions or concerns please feel that you can call the Bank and ask to speak to anyone in our technology department.
**information in this article provided by FDIC FIL-64-2005