Incidents of phishing targeted against holders of UK bank accounts are up, but losses are down. UK banking association APACS cites more than 10,000 reported phishing incidents in the first quarter of 2008, a more than 200 per cent rise from the same period last year. Online banking fraud losses, however, decreased by a third …
"93 per cent of people have anti-virus software on their PCs, almost one in three people (29 per cent) don’t have any anti-spyware software."
that's becuase the A/V A/S sellers confuse the market.
if someone is on yuo machine is on you machine that you don't want, it's a virus as far as most people are concered.
Ask the average Joe, if they have a password stealing program on their machine, what would they run. Most would say "Oh an AntiVirus".
What is needed is single products, but most companies like to sell you two items (or three if you include a firewall).
Most people would prefer a simple all in one package (that works). You click one button adn it does everything.
These are only 'reported' losses
"Online banking fraud losses, however, decreased by a third from £33.5m in 2006 to £22.6m in 2007."
Yeah right. *Reported* losses probably decreased. Because you can no longer (usefully) report phishing/account problems to the police, the only people who can collate the losses are the banks. i.e. we no longer have centralised reporting for this sort of crime.
And what are the odds on the banks self-reporting "Our bank lost XXX last year ...," we're having enough problems getting out of them how much they've lost in the sub-prime debacle.
looks like they;ll have to offer people more choccy bars for their passwords!
I'd dispute whether 'reported' figures are massaged significantly by the banking industry to be honest, if only because I fail to see how they would benefit by doing so. They appear, after all, to be happy to make it clear that they consider most of the liability to fall with the customer.
If phishing does make up a significant proportion of bank fraud, I suspect that the answer is rather more simple - customers have simply become more wary of phishing attacks. Contrary to the sort of opinions often posted on here, non-technical users of facilities like internet banking are not thick. They are however often not aware of the risks.
Non-targetted phishing was bound to suffer from the law of diminishing returns and even the dimmest of internet banking customers will become more wary if:
- They receive repeated emails claiming to be from banks that they dont
even bank with
- These emails are often written in poor and ungrammatical English
- They receive periodic reminders when they logon to their (legitimate)
bank's online service reinforcing the fact that your bank will never ask for
certain details. My own bank, Smile, have been very dilligent.
You genuinely cant fool all the people all the time. At least not for very long......
If it comes by email
and it's urgent, a legal demand, or from your bank. It's fake. Nothing important comes from a financial institution by email. Ever. And it's their fault if they DO decide to send important stuff.
If it contains bad spelling and grammar, it's fake.
If it comes frum a nown badd speler n itz beutyfully ritten, it's fake.
If it's all in capitals, it's fake.
If it's all in lower case, it's fake.
Any doubt - it's fake.
If it comes from Third Avenue, 7th Floor, New York NY 10012 it's fake.
If the address then comes up when you hover your mouse pointer over a link is different from the one in the link, it's fake.
That's all you need to know.
Barnum has been proved wrong
There were roughly 60,000 people born in the UK last year, so if 20% of them get taken in phishing scams, that's 12,000 people. there are 525,500 minutes in a year, so that means there is only one born every 43.8 minutes. PT Barnum eat your hat
Mines the one with "watch out, I'm on something" on the back
Just dont read / open / bother with any banking emails.
If you want to use your online banking, open a new browser window, and by hand type in the name ie w w w.mybank. co. uk, dont click on a link to it
just those two simple things, will be a great defense starting point.
Always have uptodate anti virus software, to meet the bank requirement, a free one like avg will do.
Always have uptodate spyware, a free one like spybot will do, and your bank cant complain you took no precautions etc
Its over 600,000 born every year in UK. Barnum is still wrong though.
Anyone actually looked at HTML
I get a lot of phishing emails for some reason - of course as I don't bank with Natwest or Halifax I know that they are fake.
But look at the HTML and you'll find that 99% of the graphics in the email are being served from the banks website.
Now as they say they never send out emails why on earth are ALL these banks set up to allow image leeching. Why not put a configuration directive in the web server that says if the image is being referred to by something that ISN'T the bank website then replace it with a warning image? If private web masters can do it then surely its not beyond the wit of a bank?
Proving you have anti-virus?
Hmm... I don't like this very much.
I run Linux, so I don't have any anti-virus installed, or anti-spyware. However, if I were a victim of identity theft, I wouldn't like to have to explain why I don't really need it.
Also, I'm not convinced that having AVG or a free one would do the trick. If it comes down to an argument about liability, they'll be wanting is a receipt from PC World, not an "I downloaded some free thingy so that's OK".
Does this mean that to cover my ass, I now have to go and buy a copy of Norton so I can pretend to install it on my Linux machine?
This is all about liability, and the banks wanting to reduce theirs as much as possible.
Just properly setup security
First properly setup security in your browser
Second (Most Important) Microsoft, Banks, and other big businesses will not send you email, nor will they offer you money for winning. You cannot win a lottery if you have not entered. Most people that lose is because they are greedy ba5tards.
Third repeat steps one and two.
Re: Anyone actually looked at HTML
I'm curious. Do you have an example of a web site that blocks image linking.
This can be easily overcome by taking a copy of the image from the bank's web site and saving it somewhere else (such as the server with the phishing login page).
It's funny but....
....the banks never advertise on the telly advising their marks to avoid email scams, maybe they are afraid of ruining their 'online brand reputation'.....
If you click, you stupid.
I've never used it but I remember in the control panel for my free hosting with my ISP there was an option to turn on the image leeching protection. So I guess that it's pretty standard fare...
Security for the masses?
The smug smiles of some of posters here "advising" us on security should consider the full Abraham Lincoln quote: "You can fool all the people some of the time, and some of the people all the time, but you cannot fool all the people all the time."
I like the convenience of Internet Banking, but I fear the security risks (As an IT professional I am technically competent and security aware, so I know what can go wrong ;-)
It seems to me that the biggest risk is someone setting up a payment from a compromised account or changing details; I suggest that any such "transactions" should be confirmed by email or SMS so customers would be immediately alerted and could block fraudulent transactions. Naturally, changing email address and mobile number online would need to be disabled.
I would not want email or mobile methods used for advertising material; That should remain a separate opt-in.
How will the banks know...
if the their customer has been robbed because of a successful phishing expedition or a Phorm related incident. I'll bet it be up to the consumer to prove it wasn't their fault. Wow are you guys sure you should be selling Phorm stock. I think it's gonna make a lot of people rich.
@Dave and Leslie
Unfortunately some serious institutions DO send important stuff (or require important info) through mail. And they fail to undersand why it bothers you even when you explain.
As for the "don't follow the link, type w w w.mybank. co. uk instead"... lame. If you're gonna be paranoid, do it right, dude. Type the IP, not the domain name. Even when following a link you can check the domain it links to and spot errors, but it doesn't mean you'll dodge DNS spoofing.
Having read the story, I was about to make the same point about us Ubuntards but James beat me to it - he makes valid points.
I find myself in two minds on the issue. On the one hand, banks have not exactly endeared themselves to the public recently with massive salaries rewarding massive failures. I find it hard to sympathise with businesses that have ripped me off for years, run crying to the taxpayer when their own foolish greed and ill-advised lending hit their profits and now, seemingly, want to shift responsibility for insecure online activity to us punters.
On the other hand, with my IT hat on, I find it scarcely credible that after years of publicity about phishing scams, a small minority of idiotic computer users are daft enough to respond to unsolicited emails and supply personal information that self-evidently could be used to empty their accounts.
But perhaps it's not surprising that phishing still finds marks - there is just so much of it going on. I filter between one and three dozen spam emails a day. Two years ago, I reckon only one in fifty purported to be from a financial institution - now it's more like one in five and just about every major bank and building society is represented.
What is the answer? Well, in my case it is simple - I never use any online banking service and I am hyper-cautious bordering on paranoid. But simply not using legitimate and useful services isn't much help to most people. Obviously, the banks need to tighten up their online act and also have an obligation to educate their customers about security. But equally, punters need to exercise more caution and inform themselves about the systems they use daily - RTFM.
My bank used to have the best anti-phishing protection going. You could only pay money to people or companies you'd already set up. If you wanted to pay money to someone you'd never paid before you had to ring up and talk to a person to set it up.
Now "for our convenience" (more likely to save them money) they've made it so we can set up new payments ourselves. Now any phisher logged in from abroad can set up a payment to one of his mules easily and quickly. The bank don't seem to understand that this has actually harmed security.
My ex-credit card company is worse. I tried to place an order at a big-name website. They declined it on a whim because it might be fraudulent. I then got a phone call from a computer telling me "This is not a marketing call, it's an important call from your bank." The recorded message asked me to enter my card number, dates and the 3 digit number off the back. I didn't and called the bank to report a potential fraud. The person in the fraud department berated me for not answering the computer's questions, was rude, patronising and couldn't understand why I wouldn't enter my details to an unsolicited phone call from a computer when the bank had told me never to give them out in case of fraud. She also told me I was being unreasonable to be angry because the the item I'd ordered was low on stock and the last one had gone when by the time I realised my bank had declined the transaction.
I'm just waiting for someone to download the sample transaction recordings from the company that makes the computer that called me (they are on their website) and write a piece of voip-phishing software using the real voice.
These people wonder why their customers are becoming the victims of fraud...
Paris, because she knows more about security than these people.