Main Content

NOT Gone phishing

Archive - Originally posted on "The Horse's Mouth" - 2006-02-05 10:24:15 - Graham Ellis

Early last week, I was giving a training course on Perl and talking a little bit about Perl objects - how all the internal logic that's associated with a particular type of data can be hidden within a source file so that the person writing the code to call it up only needs to understand what to put in, and what's returned. This characteristic is known as encapsulation and it allows a medium to large sides application to be built and tested stage by stage leading to more robust code that can be easily maintained.

It's my norm during such training sessions to select a delegate at random, ask him what his hobby is, and write a class of objects based on that. During the demonstration, it shows that only the expert (hobbyist) need know the technical detail - all the users can simply build on his encapsulated skills. But last week, I rather took my delegate by surprise and he didn't suggest anything. "Fishing" I said and he looked glum; alas - he felt as I do that fishing is cruel as wasn't happy. So as a compromise, we switched to phishing.

Phishing (with a P-H) is the new term for sending out emails purporting to be from a major financial institution and asking users to log in, via a link in the email to the web site to update their contact details. Except that the web site link is NOT back to the real site of the institution, but rather back to a fraudster who gathers the personal information entered ... giving him access to his victim's identity and bank account. Truely a nasty business.

On Thursday evening, I went along to a meeting of a local business committee that I had been invited to join (a story for another blog, perhaps) and one of the subjects that came up there was Phishing by phone. It seems that there's a line of fraudsters out there at the moment who are phoning people and pretending to be from their bank. "For security purposes" they're asking for details such as the 3 digit code printed on the rear of your card .... Oops.

I always try to be very careful when I'm phoned up by someone who says they're from the Bank. Alas, often they really are from the bank, but I've taken to asking them security questions in reverse ... for example, I might ask them about a recent transaction on my account rather than the other way around. Only rarely will they co-operate; even though THEY are the ones who phoned me and they must know they called the right number, they're not allowed to trust that they dialled correctly. Odd, isn't it, how there's one set of rules for them ...

How to break this mutual lack of trust, thrust on us by the phishermen? Well - if you ask your caller for their email address and insist that they give you one on the bank's main domain, I think that's a good step. You can then email them and ask them to call you back quoting something from the email. It's not going to save you against an "inside job", but it will mean that you've put them over a hurdle that should be easy enough for the genuine caller, but tough for the fraudster.

What a long way from my phisherman class, which can be found at this link and you can learn all about on this course