Are you certain that the site you are looking at
is what it appears to be? Is it coming
from the company it claims to?
You click a link on a page or in an email you have received.
And why not? The email is from the bank, it has their familiar logo and
all their usual wording in it. The clicked link takes you to a page with
the usual account login fields for you to put in you username and password.
The URL up in the address bar is the usual URL for your on-line banking and so
you’re pretty comfortable. You type in your username and password but for
some reason it doesn’t take. You try again and you’re logged in in the
usual fashion and see all your account details. Everything is as it should
be. Or is it?
Unfortunately, it is very possible that you have just become a
victim of a crime involving a "spoofed" website address and the contents of all
your bank accounts are now at risk. How does it work, and what can you do
to protect yourself? Let’s take a look.
The criminal starts by obtaining a legitimate email from the
bank in question. This could have come from an actual account they or one
of their associates opened, or it may have come from the email program in a lost
or stolen notebook or home computer. They also copy the login page from
the bank. Using phony ID they set up a site on a hosting company somewhere
and put up the copy of the login page, but with some code written into it to
capture the entered username and password and transfer the visitor to the
legitimate login page.
Next, they send out the emails with some pretext that requires
you to login and check something on your account. The emails have spoofed
sender and return addresses so that they look like they came from the bank.
The link in the email uses another spoofing technique to display the legitimate
website address in the address bar and status bar of your browser while actually
displaying the fake page. You click it, it takes you to the fake page, but
everything looks normal to you. You type in your username and password;
the fake page captures your identification and sends you over to the legitimate
login page. Depending on the way the bank’s site (or auction, or web
payment or any other financially useful page) is constructed, it might also be
possible for the fake page to pass your identification over to it so that it
logs you right in without you having to type it a second time.
Recognizing the Crime in Progress
Using the web for bill payments and on-line banking is such a
convenience. It’s also pretty safe if you can recognize these spoofs and
avoid them. So how can you tell if the site you’ve landed on is the site
you think it should be? First, any site dealing with financial matters,
whether banking, buying, selling, transferring money or using money or credit or
debit cards in any way at all, should be secured with SSL/TLS. This is
"Secure Sockets Layer/Transport Layer Security". If the site doesn’t
use SSL/TLS (commonly just called SSL), don’t use the site. SSL encrypts
data being sent back and forth between your browser and the server hosting the
site, but it can also be used to verify the identity of the server.
When SSL/TLS is in use, a padlock is shown in the status bar (in
Netscape, the padlock is always there, but is open on unsecured sites and closed
on secure sites – other browsers may use different symbols.) If you don’t see the status bar,
in Internet Explorer, click "View/Status Bar", in Netscape click
"View/Show-Hide/Status Bar", to enable it.
Double click the padlock icon and the certificate details are shown. The
"Issued To" name should be the name of the site. If it is not, you may
well be looking at a spoofed site, and shouldn’t provide any of your
If the site is not an SSL secured site, perhaps because it
doesn’t actually use financial information but collects or uses some other
personal information, you should consider carefully whether or not you want to
provide any of the requested information. These sites can also be spoofed,
but you won’t have the SSL certificate to help you identify the spoof.
provide you with the site and server identification:
"//" + location.hostname + "/" + "nThe address URL is:tt" + location.href +
"n" + "nIf the server names do not match, this may be a spoof.");
So much better than cure! The best way to prevent yourself
from becoming a victim of a spoofed site is to never use a hyperlink to get to a
financial page unless you are CERTAIN that it is a legitimate link. That
means, never use a link in any email to take you to a financial page.
Instead, type the address into the address bar yourself. This is a minor
inconvenience compared to having your bank accounts emptied.
If you started by typing in a known address to a site and you
are now following links through the site to its secured financial pages, you can
be pretty sure they are legitimate links. If you’ve been taken off to
another site somehow, and are now being returned to the financial pages, I’d be
more cautious if I were you — time to check that SSL certificate!
If you typed in the address to a site to visit it and then saved
it in your "favorites" list (bookmarks), you can trust it (unless you believe somebody with
malicious intent might have had access to your favorites list!) The best
way, however, is to memorize the address and type it in yourself.
One more thing, I know it’s convenient to use the same password
for all the secured sites you use, but it’s just not a good idea. Think up
a way to create a password that varies from site to site, perhaps using
something about the site as a part of the password. When creating
passwords, think first about how easy it would be for someone else to figure it
out. Your child’s name, your dog’s name, your address and pone numbers,
birthdays, etc. are all very bad ideas. Devise something else that’s
personal enough to remember, but not easy to guess. Complicated is good!
Mixtures of numbers, letters and special characters are good! Words are
And lastly, don’t write passwords down, remember them. (DON"T
WRITE THEM DOWN!)