Saturday, March 10, 2007

Secure Ecommerce, Banking and transaction on internet


Phishing is the term given to the criminal practice of sending random emails purporting to come from genuine companies such as banks and ecommerce organisations. The emails try to convince customers of those companies to disclose personal information on fake websites operated by criminals. The emails often contain emotive messages and claim that it is necessary to "validate" or "update" customer account information. The emails contain instructions to click on a link within the email which takes the recipient of the email to the fake website. Here all information entered is collected by the criminals. Information captured through Phishing may be used to perpetrate different criminal acts. Your funds may be stolen and used to finance other criminal activities such as human trafficking, drugs and prostitution and your identity may be cloned and other criminal acts undertaken in your name.

How to avoid becoming a victim of Phishing?

It is important to remain vigilant and be suspicious of all unsolicited or unexpected emails you receive, even if they appear to originate from a trusted source such as Your Bank. It is important to remember that Your Bank will never ask you to reconfirm any personal information by clicking on a link in an email and visiting a website.

The structure of a Phishing email

Who is the email from?

The structure of the Internet makes it relatively simple for criminals to create fake entries in the "From:" box of an email. This means that Phishing emails often look like they come from a real bank email address.

It is important to remember that the email address you see in the "From" field may not be from the person or organisation that it claims. The message is also likely to contain odd "spe11ings" or cApitALs in the "Subject:" box - this is designed to bypass spam filter software and increase their chances of delivery to a potential victim.

Who are the intended victims?

Phishing emails are sent out randomly using bulk email lists. The criminals are cunning and whilst they may not know your real name or indeed anything else about you they will try to convince you to provide your account details. Because it is unlikely they know your name they tend to address their victims in vague terms such as "Dear Customer". The email may well include grammatical and spelling errors as it is likely that English is not their first language.

Some emails may also contain a login form directly in the body of the email to add authenticity to the scam.

Fake hyperlinks

As with forging email addresses in the 'From' box, it is also very simple to hide a hyperlink's true destination. This means that the link displayed in an email and anything which shows up in the status bar at the bottom of your email programme can be faked.

The Structure of a Phishing website:


The criminals are clever and use a number of techniques to hide the true location of a fake website in the address bar. The website address may begin with the genuine site's domain name (eg: if you are looking for standard chartered bank's website), but unfortunately that is no guarantee that it points to the real site. Other techniques may include using addresses made up of numbers (IP addresses), registering a similar domain name, or even inserting an image of the real address into the browser window. To add credibility to their fake sites, many criminals create direct links from their pages to the genuine website.

Pop-up windows

Another technique involves loading a genuine website into your web browser and then creating a fake 'pop-up' window over the top of it. Again this technique is employed by criminals to add credibility to the scam. When used you can see the real website in the background, however any information you type into the pop-up window will be captured by the criminals and used for their criminal purposes.

It is important to remember that you should always access your online banking account, by typing the address into a new window.

What to do in the event you receive a Phishing email:

If you do receive a suspicious email, please contact Your Bank by forwarding the suspect email to your bank's official email address.

You can also report the incident directly to your regional organisation who designed to combat electronic incidents including criminal acts such as Phishing.

Hong Kong:
Incident Reporting url:

Incident Reporting url:

Incident Reporting url:

Incident Reporting url:

Incident Reporting url:

Incident Reporting url: report incidents via email: ;

Asia Pacific Region:

Important points to remember

Your Bank will never send you an email requesting for you to "verify" or "update" your password or any personal information by clicking on hyperlink and visiting a website.
Be cautious about all unsolicited emails and never click on hyperlinks from these emails and provide personal information.
To connect to Internet banking, open your web browser and type the address in Address Bar by yourself. Never use a link to open the website of your bank.
If you are in any doubt about the validity of an email, or if you believe that you may have disclosed information on a fake website, contact Your Bank by sending an email to official address.

No comments: