Phishing, the FBI, and Terror

In a recent speech given by Robert S. Mueller, III, Director of the FBI, he claimed that he had almost been the victim of a phishing attack targeting his bank account. Mueller went on to say that at his wife insistence he has since given up on-line banking. The article I saw was http://www.eweek.com/c/a/Security/FBI-Director-Nearly-Hooked-in-Phishing-Scam-Swears-Off-Online-Banking-616671/.

It’s a shame that he decided to give up on-line banking for that reason. It is like a typical response to terror attacks. After 9/11 some people were afraid to fly. In reality it was still safer to fly than to drive. There is no such thing as completely secure, but you can manage risk.

When it comes to phishing, one of the best defenses is to not follow links in email. If I get an email from my bank I will not log into my account by clicking on the link in the email. I will type the URL for my bank into the browser so that I have a reasonably good idea that I really went to my bank.

Not using online banking may prevent you from becoming a victim of some types of phishing attacks, but it does nothing to educate you about how to avoid the broader category of social engineering attacks. There are phishing attacks against PayPal, Hotmail, Yahoo, Google, Facebook, Twitter, World of Warcraft, and many other companies. Do you give up and stop using the web? I don’t I like the value that the Internet adds to my life… at least I would if I had a life ?

The proper response is to be educated about how the social engineering attacks work so you can enjoy the benefits the web has to offer while effectively managing your risk.

Randy Abrams
Director of Technical Education

Author ESET Research, ESET

  • PC Tech

    Mr. Mueller is not alone, using Windows, anyway. Here are 2 others:

    Brian Krebs
    - http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
    October 12, 2009

    Michael Horowitz
    - http://blogs.computerworld.com/14806/crimeware_gets_worse_how_to_avoid_being_robbed_by_your_pc
    September 26, 2009

    .

    • Randy Abrams

      Booting from a Linux CD does not protect against phishing. Not clicking on the link or using the link in the email does.

  • Joseph A’Deo

    I think most people will not be following in Mr. Mueller’s footsteps, thankfully, because simply ignoring the internet when there are multiple methods for protection one can employ is simply ridiculous. At VeriSign we were particularly surprised to find that Mueller didn’t take the opportunity to mention extended validation ssl — which helps users differentiate between legitimate banking sites and fake ones set up to harvest personal data — especially since EV has been noted as essential by other gov’t agencies. The IRS, for example, now requires all online tax return filing to be completed on an EV-protected website. It’s a shame that more institutions don’t take a similarly progressive attitude towards online security, but my guess is that it will happen sooner rather than later. I suppose in one sense Mueller’s reaction is appropriate — if you know you won’t take the time to acquaint yourself with the proper encryption techniques, maybe banking is better done offline.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
13 Oct 2009
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.