Home > Get Ahead > Money > Manage
How to escape phishing in online banking
Jayshree Mulherkar |
February 15, 2006
All my savvy internet banking friends are talking about the phishing attempt on some of ICICI Bank's online banking customers.
Suddenly, everyone is wary of online banking and the critics are even more sceptical.
Let's look at the implications.
What is phishing?
The 'ph' is a replacement for 'f' – as in fishing. It basically means to fish for information from unsuspecting users.
Phishing is the act of tricking someone into giving out confidential information. The term has evolved over the years to include not only obtaining user account details but access to all personal and financial data.
In the case of a bank, it would be financial information that could be used to withdraw funds from an account.
The most common way in which phishing works is by sending an email to a user. This mail could request the user to update or verify the account information by clicking on a link.
The page that appears on clicking the link will look very similar to the bank's web site, and the user will be asked to provide details such as his account number, username, password, personal identification numbers, credit card or debit card number. If he punches in any information on this website, it will be captured by the hackers.
The mail content, by itself, may appear rather straightforward and genuine.
For instance: 'We suspect an unauthorised transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.'
Or: 'During our regular verification of accounts, we were unable to verify yours. Please click here to update and verify your information.'
What must you do in such a case?
When you get an email that appears to be from your bank asking for sensitive personal information, chances are that it is a fraud.
Remember, no bank will ask for your personal details by email.
Forward the mail immediately to your bank and call them and inform them about it.
Don't ever provide your online banking user ID, passwords, credit and/or debit card numbers in response to any mail.
It's not just mails. Also be wary of phone calls or SMSes that ask for such information. And, no bank's representative will ever ask for your password.
When reading the mail, do not click on the links within the email. And, do not cut and paste the link from the message into your Internet browser. Always type the bank's web site address in your browser whenever you want to access your online account.
In the ICICI Bank phishing attempt, it all began when a few customers received an email asking them to update details like their account number and password after clicking on a link in the e-mail.
Apparently, the link in the email took the user to http://www.iciciibank.net while the bank's official address is http://www.icicibank.com (note the additional 'i' after icici and the .net as against .com).
What if you did click on the link and even provided some information?
In that case, you need to do two things. First, change your passwords immediately. The moment you do that, call up the bank and report the incident. They may block all payments on your credit card and may also disable your online banking account. Here, too, you must forward the mail to them.
What banks do to ensure safety
Banks, on their part, use 128-bit Secure Sockets Layer (SSL) encryption technology to encrypt the information you send online. This ensures that the information exchanged between your computer and the bank's web site is completely protected and all details such as login and password remain secret.
SSL is the universally accepted standard for authenticated and encrypted communication between the customers' computers and the bank servers.
Banks also have a firewall, a virtual electronic wall, to prevent unauthorised access to the bank's servers, to prevent hackers from hijacking information.
And, if a wrong password is typed in three times consecutively – by, for instance, someone trying to guess it – online access to the account is disabled. You may have to visit the bank to reactivate the account after such an attempt has been made.
Some banks cut off access for a certain amount of time, after which it is restored.
Another safety feature is the timed logout, which means the session is automatically terminated if it's not active for a certain period.
Tomorrow: What you must do to play it safe and ensure that you are never a victim of online fraud.