"In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites (YouTube, Facebook, MySpace), auction sites (eBay), online banks (Wells Fargo, Bank of America, Chase), online payment processors (PayPal), or IT Administrators (Yahoo, ISPs, corporate) are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication it requires skill to detect that the website is fake. Phishing is an example of social engineering[2], and exploits the poor usability of current web security technologies [3]. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. techniques used to fool users
A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. The term is a variant of fishing,[4] probably influenced by phreaking,[5][6] and alludes to baits used to "catch" financial information and passwords."
Phising Definition from Wikipedia.com
So what does that mean in simple terms - email purporting to be from your bank requesting logon details so they can empty your account. "Surely, the bank already has my pin number and internet credentials". No they don't. The most that they will be able to get is your internet identification number but, all passwords and pin numbers are no accessible by anyone who is customer-facing - they have no need to get them either!!
Now, these are what emails look like and how to see that they are fake..... Please note that these were viewed using Microsoft Outlook 2003 and other email readers may show these differently.
I've highlighted some instances where you can see where there are issues (working from top to bottom):
1. email address is not abbey.com - be warned.
2. companies the size of the Abbey don't tend to send group emails, they would pay for a professional email to be sent to you and more than likely the email would be personalised, in my case Mr Bennett.
3. SPAM - Outlook identified this as spam and consigned it to the appropriate junk folder
4. "in this year 2009" - now I'm not the greatest at english but that is really really bad.
5. "instance of fraud" - surely this should be "instances of fraud"
6. "online experience" - surely they would use something a little less internet related e.g. "out of your day".
7. the link when hovered over clearly shows that this isn't going to send you to an Abbey (or Santander) related website. AVOID THIS LIKE THE PLAGUE!!!!
I'd also be very surprised that there are no other links on the page? No buttons? I would have expected their to be a link to the Abbey website at least and perhaps even their fraud information pages?
Right now this MBNA email is a little different. Again working from top to bottom.
1. (unhighlighted.. opps) the email address purports to be from MBNA
2. Its personalised to my email address
3. No serious company, espcially one that is as big as MBNA would put a full URL link on a page, I would also be very very surprised if they did a "tinyurl" link also. They would use buttons or text based linked (as shown in the Abbey email).
4. the link even though its shown as a full url link doesn't send you to that page, again this is achieved simply by hovering over the link and it shows up in the ALT text.
5/6. Why would you tell a customer not to reply to an email from their bank TWICE.
What has been done in recent years about combatting this type of fraud. Well, there is something that a lot of banks are adopting called "Two Factor Authentication" (TFA). Now, the banks are asking for
1. Your Internet Banking ID (which you know)
2. Password
3. Date of Birth (or month / year)
4. A code from a device which produced a random number (HSBC and Barclays devices shown below)
n.b. the TFA fob works in different ways depending own which bank you're with. Also important to note that the HSBC fob is for BUSINESS users only at the moment.
Now this isn't supposed to scare you and to reassure you - I'm a very big internet banking user and with some of the advances in technology and security I am not concerned at all. Yes, I know a few more things about online fraud that the average bear but, if you think about it this way - without customer accounts, cross selling etc the banks would fold. So they need your money as much as you need them :-).