Client Login
 Quick Contact
Phishing attempts becoming too personalised
Category : General 09 May 2010 01:39 AM | Industry News
Phishing is typically carried out by e-mail or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.
Phishing is the practice of sending out fake emails, or spam, written to appear as if they have been sent by banks or other reputable organisations, with the intent of luring the recipient into revealing sensitive information such as usernames, passwords, account IDs, ATM PINs or credit card details. Typically, phishing attacks will direct the recipient to a web page designed to mimic a target organisation's own visual identity and to harvest the user's personal information, often leaving the victim unaware of the attack. Obtaining this type of personal data is attractive to blackhats because it allows an attacker to impersonate their victims and make fraudulent financial transactions. Victims often suffer significant financial losses or have their entire identity stolen, usually for criminal purposes.
With this tactic the phishing message is plucked slightly to give a individualized look. The email message is an online fund transfer apprisal and contains the name of the user in the email salutation. The message also affirms that funds have been transferred to a user’s account by an actual person, and the supposed name of that person is provided. The “From” header is formed to appear as if the email originates from a legitimate bank. The URL provided in the message actually directs the user to the phishing website.
Coincidentally, if the targeted user knows the name of the person mentioned in the email or if they are expecting a funds transfer, they then run the risk of falling victim to this type of phishing attempt very easily. This attack can be catastrophic if the user’s mailbox is hijacked and the sender’s name (the “fund sender” name in the message) is actually one of the contacts in their address book.