What is phishing?

Phishing is a type of deception designed to steal your identity. In a phishing scam,
a malicious person tries to get information like credit card numbers, passwords, account information, or other personal information from you by convincing you to give it to them under false pretences. Phishing schemes usually come via spam
e-mail or pop-up windows.

How does phishing work?

A phishing scam begins with a malicious user who sends out millions of fraudulent e-mail messages that appear to come from popular Web sites or from sites that you trust, like your bank or credit card company. The e-mail messages, and the Web sites they often send you to, look official enough that they deceive many people into believing that they’re legitimate. Believing that these e-mails are legitimate, unsuspecting people too often respond to the e-mail’s requests for their credit card numbers, passwords, account information, or other personal information.

A scam artist might put a link in a fake e-mail that appears to go to the legitimate Web site, but actually takes you to a scam site or even a pop-up window that looks exactly like the official site. These copies are often called spoofed Web sites. Once you’re at one of these spoofed sites or pop-up windows you might unwittingly enter even more personal information that will be transmitted directly to the person who created the spoofed site. That person can then use this information to purchase goods, apply for a new credit card, or steal your identity.

Just as they do in the physical world, scam artists will continue to develop new and more
sinister ways to trick you online.

How to recognize a phishing email.

  • It might be difficult for users that have received a message with the characteristics to tell the difference between a phishing email and a legitimate one, especially for those that are clients of the financial entity from which the email message is supposed to come from.
  • The From: field shows an address belonging to the legitimate company. However, it is very easy for fraudsters to spoof the source email address that is displayed in any mail client.
  • The message includes logos or images, which have been collected from the legitimate website to which the forged email refers to.
  • Though the link included seems to point to the original company website, it actually directs the browser to a fraudulent web page, in which user data, passwords, etc. must be entered.
  • These messages frequently contain grammatical errors or spelling mistakes, or special characters, none of them usual in communication sent from the company that they are pretending to represent.
  • Every email user is a potential victim of this kind of attacks. Any email address used in forums, newsgroup, or a website is more likely to receive a phishing attempt, due to the spiders that crawl the Internet searching for valid email addresses.
  • The reason this malware threat exists is therefore clear: it is quite cheap to launch a phishing attack, and the benefits obtained are high, even with the smallest success rate.
  • Below are lists of recommendations that you can use to avoid becoming a victim of these scams.
  • The Bank of Kuwait and The Middle East (BKME) will NEVER send you an email with a clickable link. Never provide your personal information such as Username, Password, PIN code through a clickable link in an email.
  • Watch out for “phishy” emails. The most common form of phishing is emails pretending to be from a legitimate retailer, bank, organization, or government agency. The sender asks to “confirm” your personal information for some made-up reason: your account is about to be closed, an order for something has been placed in your name, or your information has been lost because of a computer problem. Another tactic phishers use is to say they’re from the fraud departments of well-known companies and ask to verify your information because they suspect you may be a victim of identity theft!
  • Don’t click on links within emails that ask for your personal information. Fraudsters use these links to lure people to phony Web sites that looks just like the real sites of the company, organization, or agency they’re impersonating. If you follow the instructions and enter your personal information on the Web site, you’ll deliver it directly into the hands of identity thieves. To check whether the message is really from the company or agency, call it directly or go to its Web site (use a search engine to find it).
  • Beware of “pharming.” In this latest version of online ID theft, a virus or malicious program is secretly planted in your computer and hijacks your Web browser. When you type in the address of a legitimate Web site, you’re taken to a fake copy of the site without realizing it. Any personal information you provide at the phony site, such as your password or account number, can be stolen and fraudulently used.
  • Never enter your personal information in a pop-up screen. Sometimes a phisher will direct you to a real company’s, organization’s, or agency’s Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.
  • Only open email attachments if you’re expecting them and know what they contain. Even if the messages look like they came from people you know, they could be from scammers and contain programs that will steal your personal information.
  • Know that phishing can also happen by phone. You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
  • Be suspicious of any email with urgent requests for personal financial information
    – unless the email is digitally signed, you can’t be sure it wasn’t forged or ‘spoofed’

    – phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately

    – they typically ask for information such as usernames, passwords, credit card numbers, etc.

    – phisher emails are typically NOT personalized, while valid messages from your bank or e-commerce company generally are

  • Don’t use the links in an email to get to any web page, if you suspect the message might not be authentic
    – instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser

  • Avoid filling out forms in email messages that ask for personal financial information
    – you should only communicate information such as credit card numbers or account information via a secure website or the telephone

  • Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser
    – to make sure you’re on a secure Web server, check the beginning of the Web address in your browsers address bar – it should be “https://” rather than just “http://”(The padlock on the right side bottom of Internet Explorer).

  • Consider installing a anti-phishing tool bar to help protect you from known phishing fraud websites
  • Regularly log into your online accounts
    – don’t leave it for as long as a month before you check each account

  • Protect your computer with spam filters, anti-virus and anti-spyware software, and a firewall, and keep them up to date. A spam filter can help reduce the number of phishing emails you get. Anti-virus software, which scans incoming messages for troublesome files, and anti-spyware software, which looks for programs that have been installed on your computer and track your online activities without your knowledge, can protect you against pharming and other techniques that phishers use. Firewalls prevent hackers and unauthorized communications from entering your computer.
  • Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate

Ref: The Bank of Kuwait and the Middle East – Kuwait.