It is not often that a single event stops a nation in its tracks, but the gravity of the February earthquake in Christchurch unfortunately achieved just that. The earthquake has devastated infrastructure, taken the lives of over 150 people and left many more without food or shelter.
As we are exposed to countless images of the earthquake’s destructive impact, it is hard not to be affected by the sadness, pain and loss that those affected are experiencing. Amidst this devastation, however, is the compassion, generosity and selflessness that many New Zealanders are demonstrating, whether through donations, volunteer work or other acts of kindness.
Unfortunately, this empathy does not extend to all human-kind. As the effects of the earthquake began to unveil through various media, so did reports of looting throughout Christchurch. Another form of criminal activity was also unveiled – phishing attacks.
Phishing techniques
“Phishing” is the process of attempting to obtain personal information (such as user names, passwords, bank account or credit card details) from the unsuspecting public (often by masquerading as a trustworthy organisation) in an electronic communication. Phishing is usually carried out by email or instant messaging and directs people to enter their personal details on a fake website that is almost identical to the legitimate one.
For example, a phishing email may masquerade as a legitimate email from a bank requesting customers to submit their personal information online. The email will direct customers to a fake website that looks like the bank’s website so as to entice customers to disclose their bank account details online. Such disclosure will enable the phisher to collect the bank account information, illegally access those accounts and transfer money to fraudulent accounts.
(The term “phishing” is a variant of “fishing” and alludes to baits used to “catch” personal information.)
Phishing expeditions
The Ministry of Consumer Affairs has already received numerous reports of scammers using the Christchurch earthquake as an opportunity to exploit the goodwill of New Zealanders, including reports of the following phishing emails:
- Emails claiming to be from “Donate4Charity”, which use a legitimate UK-based charity organisation’s name and website address. This email asks people to receive donated money from overseas into their bank accounts for a 10% commission.
- Emails claiming to be from Red Cross, which direct people to a fake phishing website where people are asked for credit card details. The phishing website has the same look and feel as the genuine Red Cross website.
The Ministry of Consumer Affairs has also received reports of emails claiming to be from ANZ bank, which are addressed to ANZ customers in Christchurch and advise them that ANZ has lost their customer internet banking details. The email asks the customers to click on the provided link and enter their Customer Registration Number and Password details so ANZ can update their account.
While the above are recent examples of phishing emails in New Zealand, phishing attacks occur worldwide and target various people and organisations.
In late 2009, around 10,000 users of hotmail.com, msn.com and live.com were affected by a phishing attack which resulted in those users’ user name and password details (i.e. user credentials) being posted online at a third-party website, pastebin.com. This public disclosure of user credentials meant that any person could access and modify the affected user account, including making changes to the inbox or contacts list, or deleting the account. Upon learning of the attack, Microsoft immediately requested that the user credentials be removed and advised the users to change their account passwords as soon as possible.
A day after the attack on the Hotmail, msn and Live users, Google confirmed that Gmail was also the victim of a phishing attack. This attack did not, however, result in user credentials being posted on a third-party website. The attack tricked Gmail users into disclosing their user credentials to the phishers. As soon as Google learned of the attack, it forced a password reset on the affected user accounts and advised its users to only ever enter their Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts.
Continued threat
During the last few years there has been a decrease in the number of phishing emails. The reasons for this include computer users becoming more educated about phishing and, therefore, being able to identify fake websites, security software getting better at filtering out phishing emails, and phishers moving onto other kinds of attacks (for example, use of Trojan Horse programmes).
However, despite the reduction in the volume of phishing emails, phishing attacks are still a threat and, therefore, great caution must be exercised every time you receive an email that includes a link and/or asks you to provide personal information.
Weathering the storm
You do not need to be tech-savvy to protect yourself from phishing attacks; you just need to be careful when being asked to share personal information online. You should also follow these recommendations:
- Always be suspicious of emails that are from people that you do not know.
- Even if the sender looks legitimate, always be suspicious of links and/or attachments included in an email. Avoiding clicking any link or opening any attachment unless you know what it is.
- Never provide personal information over an email. Organisations should never send emails requesting that you confirm or provide them with your personal information in the email.
- If asked to provide/update personal information on a website, access the website via the browser. Never click on a link embedded in your email.
- Check that the website has a “lock” at the bottom right of your browser window. This signifies that the organisation uses encryption to securely transfer information. Also, that the website has an address that begins with https://, as opposed to http://.
- Protect your computer with effective anti-virus and anti-spam software.