Business Link

by Michelle Hardy-Berrington

Cyberspace has become a happy hunting ground for a variety of criminals, and both companies and individuals are at risk. Here is how to stop yourself getting virtually mugged – or your company bank accounts raided.

Types of Internet fraud

Phishing is the most common type of online fraud. Criminals send an email that appears to have been sent from your bank asking you to confirm your personal details. This should immediately put you on the alert as no financial institution will ask you to confirm your details via email or telephone.

Key-logging software records which keys you press when you bank or transact on the Internet. The software is installed at Internet cafés or can be sent to you as an email attachment from an unfamiliar address. The rule is if it looks suspicious, delete it. This has implications for companies sending out information to clients. It could be trashed or consigned to the spam box because it looks suspicious.

Spoofing is the creation of a website that imitates a bank’s website. Once you enter your details on that website, the criminals can record your personal information and use it to access your bank account. One of the “best” currently is a scam which claims to come from SARS promising you a refund. The very official-looking site even has links to the real SARS site.

Pharming is similar to spoofing in that you are redirected from a legitimate website to a fake website, even though you may have entered the correct website address. Ensure that you transact only on websites with security certificates, indicated by a small padlock icon at the bottom of the browser window.

How to protect your personal and company accounts

Don’t save your password to your computer desktop or ask your computer to “remember this password”
Institute processes in your company where passwords are automatically changed at regular intervals
Install a strong firewall between your company’s network and the Internet. Clark Connect is easy to use, powerful and free to small businesses and NGOs
Enable the firewalls on the individual computers
Ensure your Windows programs are regularly updated to keep ahead of the hackers
When you create a password, use random numbers and letters. Don’t choose a password that someone could guess, such as your birth date. Then write it down somewhere safe.
Always log off after you have finished banking online
Ensure that the security software on your computer is licensed and up-to-date
Never click on hyperlinks in emails. Instead, directly type in the URL in the Internet browser address bar, or call the company on a number known to be genuine
Use an anti-SPAM filter software and a spyware removal software
Visit www.fraudwatchinternational.com or phone the relevant institution to check whether the email or website is genuine
Give everyone in the company who has access to the Internet a copy of this article. As with mugging in the real world, the best way to protect yourself is to be constantly aware of your surroundings and to avoid going to risky places.

Phishing email methods
The initial phishing email is designed to entice the recipient to open the email and click on the link provided using methods such as:

Deceptive Subject Lines appear to be genuinely relevant in an attempt to entice the user to open the email, e.g. “Important notice for all Internet Banking Users”.
Forged Senders Addresses appear as though the email has come from the company it is claiming to be.
Genuine Looking Content in copied images and text styles from the legitimate website portray the email as genuine. Some phishing emails also have genuine links to the company’s privacy policy and other pages on the legitimate website. Trusts and authentication marks are also duplicated.
Disguised Hyperlinks Links display a genuine URL but when clicked will direct the user to a fake website.
Sense of Urgency e.g. “respond within X days or your account will be closed”.

Phishing website methods
The fraudulent website that supports the phishing email is designed to mirror the legitimate website it’s purporting to be using methods, such as:

Genuine Looking Content in copied images and text and in some cases mirror images of the legitimate website.
Similar looking URL to Genuine URL e.g. “http://www.barclayze.co.uk”.
Collection of Information Form is normally displayed in the same format as that used on the genuine website.
Spoofing of Address Bar involves the removal of the address bar or the use of images and text to build a fake address bar.
Pop Up Windows are opened while the genuine website is in the background, misleading the user to think it is directly associated to the genuine page.