| HOME | ARCHIVE | CONTACT | ADVERTISE | SUBSCRIBE | AICPA

  Online Issues > February 2006 > Phight Phraud
  TECHNOLOGY  
 

Phight Phraud

Steps to protect against phishing.

by Steven C. Thompson

ou receive an e-mail that appears to be from your bank. You recognize the logo and the letter format. It’s even signed by the bank officer you deal with. It says there has been a glitch in your account and asks for verification of some information—credit card numbers, passwords and other personal information—which you quickly supply.

Congratulations, you’ve just inadvertently given a crook the key to your bank account. This fraud technique, known as a phishing (pronounced fishing), is growing in frequency and sophistication. This article will tell you how to guard against it.

HOW IT WORKS
A typical phishing sends out millions of fraudulent e-mail messages that appear to come from popular Web sites that most users trust, such as eBay, Citibank, AOL, Microsoft and the FDIC. According to the Federal Trade Commission, about 5% of recipients fall for the scheme and give information away.

Phishers wish to irrationally alarm recipients into providing sensitive information without thinking clearly about the repercussions. Victims might be told someone has stolen their PIN and they must click on the provided link to change the number.

At the linked site, victims see an exact copy of a site they know and trust. They enter their account number and PIN and a return response shows that the site is temporarily down due to maintenance or some other satisfactory-sounding excuse so they will not try to initiate a connection to the real site. It sometimes takes several weeks to realize a crime has been committed. Meanwhile, victims are hooked and the phisher uses the information to purchase goods, apply for new credit cards or steal their identity.

There are several free products that fight phishing by disclosing whether the Web site you contact is legitimate:

Netcraft Toolbar (http://toolbar.netcraft.com) works in both Internet Explorer and Firefox.

Cloudmark Safety Bar (www.cloudmark.com/products/safetybar) only supports Internet Explorer.

Mozdev.org TrustBar (http://trustbar.mozdev.org) works only in Firefox.

EarthlinkToolbar (www.earthlink.com/software/free/toolbar).

Microsoft also recently announced it is adding antiphishing features to Internet Explorer 6 and subsequent versions. The new phishing filter, which will require Windows XP SP2, will be available shortly in a beta version.

 
AICPA RESOURCES

Conference
Technology Conference
June 11–14, 2005
Hilton, Austin, Texas

CPE
Information Security: Critical Guidance for CPAs in Public Practice and Industry (# 732450JA). (Also available as a public seminar or as on-site training. For more information, visit www.aicpalearning.org/public_seminars.asp).

To order or to register go to www.cpa2biz.com or call the Institute at 888-777-7077.

PROTECTION TIPS
As the use of financial transactions on the Internet becomes more pervasive, con artists will continue to develop new and more sinister ways to trick victims. Here are ways to protect yourself:

As a general rule, never e-mail personal or financial information.

Never respond to requests for personal information in e-mails. Banks, the IRS and legitimate businesses never ask for such information through e-mail. If you are tempted to respond, call the company instead.

If you initiate a transaction that calls for personal or financial information, confirm that the Web site is secure by checking for a lock icon on the browser’s status bar or a URL that begins https (the s stands for secure) instead of http.

Be aware that phishers are able to forge a security icon only when they initiate an e-mail, which is why you never should reveal information in response to a received e-mail.

Check credit card and bank statements as soon as you receive them for any unauthorized charges. If your statement is late by more than a couple of days, call the company or bank to confirm your billing address and account balances.

Use antivirus software and keep it current. Use a firewall if you have a broadband connection.

Report suspected abuses to the antiphishing network authorities at reportphishing@antiphishing.org and to the company that’s being spoofed. If you suspect your personal information has been compromised or stolen, be sure to promptly contact the Federal Trade Commission and the identity theft Web site at www.consumer.gov/idtheft.

Phishing is the latest crime of the 21st century. Understanding the techniques and technologies phishers use can help you protect against them.

Steven C. Thompson, CPA, PhD, is the McCoy Professor at Texas State University, San Marcos, and webmaster for the American Taxation Association. His e-mail address is taxman@txstate.edu.

©2008 AICPA