How to defend yourself from Phishing

It is an illegal activity that uses a particular technique that consists of sending e-mail messages that have the ability to IMITATE perfectly the WEB SITES of Banks or Post Offices, and in this way, they extract a password to access the current account, or passwords that authorize payments or credit card number.

Phishing, which in English means PESCARE alludes to the use of increasingly sophisticated techniques to steal a user’s financial data and passwords. In this guide, we see how to defend yourself from Phishing.

Let’s see what the attack methodology. The main phases are as follows:

1.) The malicious user (phisher) sends the unlucky user an email message that simulates, in the graphics and content, that of an institution known to the recipient (for example: example his bank, his web provider, an online auction site to which it is registered).

2.) the e-mail almost always contains notices of particular situations or problems occurring with your current account / account (for example: example a huge debit, the expiration of the account, etc.) or an offer of money.

3.) the e-mail invites the recipient to follow a link, present in the message, to avoid the charge and / or to regularize his position with the institution or company of which the message simulates the graphics and the setting (Fake login).

4.) the link provided does not actually lead to the official website, but to a copy similar to the official website, located on a server controlled by the phisher, in order to request and obtain from the recipient particular personal data, normally with the excuse of a confirmation or the need to authenticate the system; this information is stored by the server managed by the phisher and ends up in the hands of the attacker.

5.) the phisher uses this data to purchase goods, transfer money or even just as a ” bridge ” for further attacks. Be careful; banks do not send e-mails with this type of information! At most they send, you registered letters, or invite you to go to the branch to clarify anomalous situations.

How to defend yourself from these cyber attacks

Pay attention to sites that are not authentic. In case of a request of personal data, account numbers, password or credit card, it is a good rule, before canceling, to forward a copy to the competent authorities and notify the bank or other interested parties, so that they can take further measures against the fake site and inform its users.

The customer can check the movements from the account statement, which he can see at the ATM or from his online current account. Many institutions offer a more effective SMS alert service, because it notifies the movement as soon as it is carried out, not when it is registered, which can be several days away. The service is free; the costs of the message depend on the telephone operator.

It is then necessary to lodge a complaint with the Police, and go to the Agency with the copy of the complaint and the lock code. The services in charge will think of tracing any scammers and preventing them from contacting you in the future.

A frequent concern of the users who suffer the tapping is to understand how the perpetrator knew that they have an account at the bank or online service indicated in the message-bait.

Internet explorer users can use an anti-bleed filter that uses a blacklist, and compares the addresses of an abnormal web page with those in a global, centralized database, and fed by anonymous user reports.

Similar protection is present in Mozilla Firefox, which proposes the user to choose between the verification of sites based on a blacklist, and the use of the anti-bleeding service offered by the main search engines.

E-Mail with Job Offers

They invite you to cooperate by saying that they are financial transaction companies, or not for profit, etc .. They send you sums of money by bank transfer (obviously coming from accounts of victims of fishing, so you will be the beneficiaries of these movements).

Then they will invite you (heavily) to withdraw these amounts in cash and to send them via Western Union or other similar services to third parties residing abroad, usually retaining 5% of the amount sent for you.

Do not adhere to these offers, in addition to being in trouble you can be accused of complicity in illicit activities aimed at third-party fraud!

In this last step, the procedures for compensation of damage are explained. According to the Italian legislation, credit institutions are not required to guarantee customers by computer fraud. They are not required to pay compensation amounts due to a breach of customers’ Internet accounts, or the cloning of their debit or credit cards.

Individual contracts for opening a current account and home banking may provide that in specific cases, the bank is obliged to compensate the customer for the amounts wrongly withdrawn. Often, the credit institution is covered by the risk of theft or loss of identification data and cards.

The cost of this reinsurance is reversed on customers, who sometimes benefit from contractual clauses in their favor for this type of coverage.

The institution generally refuses compensation if the customer, in addition to losing the card, has also lost the access PIN; similarly, for home banking it refuses to compensate the sums if the customer has lost the access password together with the token.

The bank (or other institution or company) has the burden of applying both the minimum-security measures established in Legislative Decree 196/03 to protect the customer’s personal data, and to implement all those suitable and preventive measures which, even on the basis of to technical progress, they can minimize risks.

If the bank has not implemented measures that in other, banks are common for the prevention of computer frauds, abusive accesses, etc., for example: could be required to compensate the user for the damage.