ESTec Security
Client Login
ESTec Security Search Sitemap Contact Us
About Us Products & Services Newsroom Education Careers
Quick Finder
Education Main
Security History
Best Practices
Best Practice Resources
Intrusion/Penetration Testing
Security Resources
New Features



Phishing Attacks

Over the last year we have seen a rapidly increasing attack against personal information. These attacks are typically e-mail requestst for you to update your personal information and are often accompanied by a "threat" that if you fail to update the information your bank account, paypal account, credit card or other financial service will be suspended until the information is updated.

Attackers use this information as a starting point for identity theft. At the first level the information gathered will give them account numbers and access codes, but it will also typically give them enough information to allow the criminal to start applying for credit cards and loans in your name.

Victims of phishing attacks and identity theft find themselves being sued for failure to pay, missing money from their accounts and a damaged credit rating. It can take years to recover from this kind of attack.

A sample e-mail that has been received in our office linked to a site that had a full copy of the signup screen from the bank. A Second sample linked to a web site that installed a javascript that captures the user ID and password, then redirected the balance of the session to the legitimate bank web site. If you logged in, it would send your user ID and password to the criminal site.

To protect yourself from phishing attacks and identity theft, NEVER respond to one of these e-mails. DO NOT click on the link. A variant of the second phishing attack has been seen which installs a hosts file on your computer. This redirects all attempts to contact certain financial institutions to their web site where they collect the information to access your account as you are going about your regular business. This "man in the middle" attack allows them so see everything you type in as you are trying to communicate with your financial institution even though you are working on an encrypted link.

If you receive an e-mail that is legitimately from your financial institution it will not ask you for personal information over the internet. Instead it will ask you to phone or contact your branch office. If you still believe that the financial institution may be asking for confidential information over the internet, DO NOT supply it over the internet, instead use the telephone to supply that information.

DO NOT give out the following information over the internet

Bank account numebrs
Credit Card Numbers
Social Insurance Numbers
Date of Birth

About Us | Products & Services | Newsroom | Education | Careers | Contact Us | Privacy Commitment | Terms of Use

©2002 ESTec Systems Corporation. All rights reserved.