Please note that the steps provided in this walkthrough were performed using a secured operating system. 

I got up this morning, was having coffee and catching up on things when I was surprised to see that my bank had sent me a text to tell me know that my online banking had been deactivated. That’s slightly annoying, the good news is that they had provided a convenient secure (cough) link in the message to get me back up-and-running.

A couple of obvious things to note here. Clearly my bank HSBC have decided to not necessarily invest in a few things; a domain name or a secure certificate. Although I may joke about this, it is incredibly important that little details like this are taken note of. The individual(s) behind this have not put in much effort but it is easy to be fooled if you were not sure of what you were looking for.

As I was in one of those moods, I thought I would see just how far they would take me on this journey. I decided to click this link and find out what happens next.

You could say this has the look and feel of HSBC’s website and I am now being asked to enter my Customer ID to proceed. Not the secure lock in the red box. But note the browser URL bar as this is clearly not showing that the website is secure. I cannot stress enough the fact that this URL is simply pointing an an IP address. This IP address is certainly not registered to HSBC either:

Details, details I hear you say.

I dutifully added a fake Customer ID which, of course, was not validated at all but I was presented with the next screen to hopefully gleam some more information from me.

I popped in a few fake answers on this screen but it appears that I was going to be challenged further to now provide a lot more information…

…yes, it seems they now want my complete password and security number as what I had given didn’t match what they had.

For the eagle-eyed among you, you’ll notice that I had to change browsers at this point. Safari had blocked access to this website and was making it difficult (as you’d expect) to be able to submit information to an obviously fake website. As you can see Google Chrome is warning me that this website is dangerous and I definitely should not be sending valid information to it. Don’t worry, I submitted some further incorrect information. After submitting that the good news is that I can use my online banking again. Phew!

Great news! Or is it?

Had I completed these steps and used my banking information then there is every possibility that they would have used this information to attempt to extract money from my account. That part of the process may not be as straightforward as most banks use additional security steps in the process. However, it is also likely that they may also use this information  for social engineering and fool me into doing something on their behalf. It may be that they would have enough information to actually contact my bank and pose as myself. What’s not clear is just how much information they may hold about me.

More of our data is being captured and stored by companies providing us with services. Some need our date of birth to confirm age and some will certainly capture address information. Think about sites where you have needed to give both and more. The fact that I received this message as a text says they have my mobile number too.It’s fair to say that some companies are simply not doing enough to protect our personal data and in this digital world and it’s becoming much easier to exploit this captured information. What I won’t know is how much of the digital puzzle they have in order to further exploit. Your digital footprint is certainly becoming much harder to hide.

Although I was aware this was a phishing expedition from the outset, there would be many that wouldn’t.

Some simple steps to protect yourself

  1. If it looks wrong, then it probably is.
  2. If you received the request via email then check the email address carefully.
  3. Think before you click on a link and verify the URL.
  4. Secure certificates (SSL) are easy to get and are free so check the certificate is linked to the company of the site you are looking at.
  5. Beware of threats or doing something urgently ie your account has been or will be deactivated or something is going to happy by a specific date or time if you don’t do something.
  6. Keep your browsers up-to-date as most browsers can provide additional protection against malicious websites.
  7. Use good antivirus software to help protect you.
  8. If in doubt then call the organisation using known telephone numbers.

The above is not exhaustive but should help keep you a little safer.

Phishing for a bite

by Dean Baldwin time to read: 5 min