So long, and thanks for all the phish

My bank sent me an email recently warning of an increase in phishing attacks. Today I heard a director of the bank talk about the attacks on the radio, stating that the fake website targeting their users not only asks for account number, PIN number, password etc but also for the user’s email credentials – and reportedly, users are falling for this!

The reason these credentials are being asked for is because the internet banking system sends out a one time password (OTP) via SMS or email when certain transactions are conducted – so if the attacker can own your inbox as well as your login, they can transfer all your money to an account of their choosing.

However, I disagree with the bank’s advice. The email stated:

Remember, it is safer to type Standard Bank’s web address ( into your browser instead of clicking on a link in an email.

For sure, don’t click on a link in an email to get to your internet banking – but typo-squatters are just waiting for you to mis-type such an important URL and if you got it wrong, would you notice if the site looked just the way you expected it to?

My advice, for all important websites: The first time you go there, type the address – and make very sure you are on the right site. Then bookmark it, and only use the bookmark to get there. This will avoid the risk of spelling it wrong when you are a bit more relaxed and ending up at a fraudulent site.

Even better: Use the petname plugin for Firefox. This will clearly show you if you are visiting the same site (with the same SSL certificate) as you visited before.

3 Responses to “So long, and thanks for all the phish”

  1. 1 niq March 27, 2007 at 3:36 pm

    But a bookmark is such a *great* target for script-kiddie armed with a browser bug!

  2. 2 mpt March 29, 2007 at 5:22 pm

    I would be quite surprised if typo-squatters were really “just waiting for you to mis-type such an important URL”; such domains can be shut down. If my own Junk folder is any guide, most phishing attempts use a domain of the form institution-name.some-unrelated-domain, and they rely on getting victims in the short time between their phishing mail going out and the domain being shut down.

  3. 3 Heidi March 30, 2007 at 2:06 pm

    Did you watch the SABC news the other night when they interviewed the online head of FNB about phishing? What was worrying was that the presenter seemed to think phishing was related to hacking. The poor dude from FNB patiently tried to explain the difference, but I think the interview resulted in more fear than it was intended to dispel for the average non-techie out there.

Comments are currently closed.

%d bloggers like this: