I overheard this interesting talk last sunday while harassing some poor developer to close an NC, have a dekko. But before that, a very short intro of the characters.
Character #1 — Baba Gyandev, aka if-google-had-a-body-this-would-be-it, BG in short
Character #2 — Baby Busy, aka this-will-never-happen-to-me, BB in short, BG’s follower#1
Character #3 — Paranoid Pandu, aka even-my-breadth-should-be-encrypted-to-save-it-from-sniffing, PP in short, another follower of BG
Context — BG & his disciples are in a very good mood. BG is happy because of planetary alignments, BB got a good appraisal recently, and PP just bought the latest encryption software for his laptop. More than that, they are happy because of their body has been treated to the best seafood meal that they had in recent times.
BB — This place is good, we should come here more often.
BG (after a big gurgling sound escaping the deepest corners of his intestine, making everyone else in the restaurant look for cover) — Yeah, fish is good.
BB — I don’t know why some people have devoted themselves to anti-fishing causes on Internet, it is not if we are trying to finish all the fishes!
PP — That was not this fish, BB, it is called Phishing, and it is very dangerous.
BB (with some alarm on her face) — Oh!
BG — PP, please do not terrorize her. BB, while it is true that phishing is a concern, it can be managed by some very easy-to-do things.
BB — Baba, please tell me more about this. What is this about?
PP — It is about stealing your identity.
BB — My identity? What identity?
BG — Bhaktjano, it’s not the identity that all of us are always looking for, inwardly (who am i? What am i on this earth for, stuff like that). I can talk about it more over seafood in Taj Banjara. The identity, that we are talking about now, is that of us on the information superhighway called Internet.
BB — Identity on Internet? What is my identity on the Internet?
PP (with some irritation) — Don’t you have a facebook account? Or yahoo/aol/hotmail/gmail ID? Or any other ID on any other website (irctc/icici/sbi/any-other-bank)?
BB — So what? Those are just login IDs, not my identity, Mr. know-it-all!
BG — Please don’t fight, kids. BB, in today’s online world, everything is connected to everything else on the Internet. You can share content of one website on another, e.g., share an online article or a review of latest movie that was put on some other news site, on your facebook account; you do a lot of financial transaction online. All of this requires that those sites know you. They give you login IDs so that they can recognize you, the next time you logon. So, all these IDs that we have online constitute our online identity. It is what we are and how people will recognize us when online.
BB — Yeah, i remember opening a recurring deposit account online in ICICI. They neither made me write a letter nor call me for an approval. I started it online and it automatically deducts money from my account every month.
PP — That was because they knew it were you, because they knew the login ID belonged to you.
BG — Correct. But now, the issue is — Crime always follows money. Bad people have realized that many (if not all) of the transactions are happening online now, it makes more sense if we can somehow get those IDs and passwords.
BB — Hmmm….. Baba, how do these people do it? Where does Phishing comes into picture?
BG — They will create copies of the well-known websites, with similar spellings, and put them online. Then they wait for you to land there.
PP — They do not always wait for your to come, they try to lure you to it. Remember that LinkedIn invitation that you said you had got from me? And the facebook invitation from your husband?
BB — Yeah, i do. I also remember that you had a look and then asked me to delete them and not to click on any link in that mail.
PP — Because it was a SPAM, meant for anyone who would believe and click on them, thereby landing on the fake site. The person will provide his actual user ID and password, and then, la-la land!
BB — How to stop it?
PP — These people are a reason why i am very skeptical while online. I don’t trust Internet!
BG — PP, in that case, stop buying house because land mafia may take it over, stop buying gold or silver ornaments because they can be stolen, stop carrying money in pocket because they can be , well, picked up. And while you are at it, stop living (PP looks at BG in shock) because there are criminals out there who murder for living.
BB starts laughing.
BG (with increased calmness) — Just because there are some issues with a technology or a facility, you don’t stop using it. Atleast not when you get so much benefits from it. More so, when you can save yourself using some common sensical tips.
BB — Please give me some tips so that i can save my identity online.
BG — the first step - don’t click on any link blindly. Check it before clicking on it. Is it pointing to what it says it would?
PP — A link to facebook should not go to some random site like gimme-your-password.com
BG — True. In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Always check them before clicking.
PP — Also, look at the language of the mail.
BG — In other words, do not click on links within emails that ask for your personal information.
PP — True. Actually, no organization in its right mind would ask for it in mail. If it does, there is something ‘phishy’ there.
BG — Never enter your personal information in pop-up windows.
BB — What is wrong with pop-ups if it comes up after the original site has loaded? It means it has come from the site, right?
PP — Not necessarily. Sometimes a phisher will direct you to a real company’s, organization’s, or agency’s Web site, but then an unauthorized pop-up screen created by the scammer will appear, with blanks in which to provide your personal information. If you fill it in, your information will go to the phisher. Legitimate companies, agencies and organizations don’t ask for personal information via pop-up screens. Install pop-up blocking software to help prevent this type of phishing attack.
BB — Means, i should never give confidential information in pop-ups.
BG — Correct. Also, phishing doesn’t always need Internet.
BB — ?????
BG — You may get a call from someone pretending to be from a company or government agency, making the same kinds of false claims and asking for your personal information.
PP — If someone contacts you and says you’ve been a victim of fraud, verify the person’s identity before you provide any personal information.
BG — In other words, don’t give (or offer to give) your account ID and password to some guy over phone just because he claims to be from IT-Support. I know you did that yesterday.
BB (blushing) — that was because i needed some document very badly but was not able to logon to my machine. I had raised a ticket too.
PP — How do you know that this guy had called because of that ticket? I was there, too and you did not verify his identity.
BB (getting a little angry) — There is nothing interesting in my account, even if the user gets the password.
PP — yeah, true, but you re-use passwords, right? Which means one password of yours can open many accounts of yours !
BG — Actually, it is not just a matter of having something interesting in your account. Once your account is compromised, it will be used by bad people to lure your friends and contacts.
PP — For example, if i get your twitter / facebook / gmail ID, i can just ask your friends from little money (i can guess who are your friends by looking at your past activities), and if they are like you, they will transfer money first and then call. And that is just for starters.
BB is silent.
After some time, BB breaks the silence.
BB — So what should i do to stop it from happening?
BG — Be suspicious if someone contacts you unexpectedly and asks for your personal information. It could be in any format (online or offline), but ultimately, you have the responsibility over your information, Keep it secure!
PP — You can also keep changing your passwords regularly and use security features available with major sites (like two factor authentication of gmail, privacy features of facebook, etc.).
BG — Keep your browser and operating system updated and secure because many phishing attempts are hidden in viruses and other bad code.
BB — Baba, what if i accidentally gave some information? What should i do then?
BG — Contact related officials immediately and inform them.
PP — for example, if you accidentally gave your banking related information, then contact the bank immediately. In case of an online account, change the passwords immediately and notify the website.
BB — Thank you, BG and PP.