Skip to content
Skip to main content
header search
ahihi OpenLearn
OpenLearn
Menu
sticky search

About this free course

Become an OU student

Download this course

Share this free course

Course content Course content
Preparing for your digital life in the 21st Century
Preparing for your digital life in the 21st Century

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

More free courses

4.4 Phishing

A particular kind of hoax message aims to persuade users to disclose private information such as their credit card details and PIN (Personal Identification Number). This is described as phishing. The recipient of the message may be directed to a hoax website where they are requested to part with their details. Figure 10 shows an example of an email that I received.

Described image
Figure 10 An attempt at phishing
Show description|Hide description

This is an email claiming to be from

“HSBC Bank PLC”

sent on 02 March 2009 at 21:14:46. The subject of the email is

‘Security Alert: Protect Your Online Banking’

The text of the email is

‘Dear HSBC customer, Barclays is proud to announce about their new updated secure system. We updated our new SSL servers to give our customers a better, fast and secure online banking service. Please click here proctect your account. Regards, The HSBC Bank PLc’

The text ‘click here’ is in blue to show that it is a hyperlink.

An attempt at phishing

Activity 9 (exploratory)

Looking at the email in Figure 10, what warning signs are there that might alert you to the fact that this is an attempt at phishing?

Comment

Below are the warning signs I noted when I received this email.

  • Although the sender’s email address is described as ‘HSBC Bank PLC’, the actual address – pontiusfamily@netzero.net – appears to have nothing whatsoever to do with the bank; instead it sounds like a private email address.
  • The email address of ‘netzero.net’ refers to an internet service provider – NetZero – based in the USA. I can’t imagine that a bank based in the UK would contact me from an email address supplied by an internet service provider in another country.
  • There is confusion about which bank this email is meant to be from, as the message refers to both HSBC and Barclays.
  • The message exhibits poor grammar and spelling – ‘proctect’, for example. I think it unlikely that such errors would be present in genuine messages from my bank.
  • The message is not addressed to the recipient (me) by name. This can indicate a message sent randomly to large numbers of email addresses.

The above points, along with the fact that I don’t actually manage my bank account online, convinced me not to follow the instructions in the message. Yet despite all these warning signs, some people do hand over their details in this way.

It’s very important not to click on any links in these sorts of messages. Even if you don’t enter your account details, making any response at all may confirm to the phisher that your email address is valid, leaving you open to further hoaxes and spam. Simply clicking on a link also risks your computer being infected with malware that could distribute the same message to all the email addresses – including those of your work colleagues, family and friends – stored on your computer.

One way to check this kind of message is to position your mouse pointer over the link (‘Click here’ in the Figure 10 example) and look at the web address that appears either as pop-up text or at the bottom of the message window. If it seems to be unrelated to the sender of the message then you should be even more suspicious. After receiving the email shown in Figure 10, I searched online and found a reputable site (millersmiles.co.uk) that contained the information shown in Figure 11.

Described image
Figure 11 Information about a phishing attempt
Show description|Hide description

This is a screenshot of a web page describing a phishing email very similar to the one in Figure 10. It points out that the email sends recipients to a spoof website that looks nothing like the real bank site, and that HSBC Bank never send their users emails requesting personal details in this way.

Information about a phishing attempt

Most phishing messages try to get you to provide some personal information (Figure 12). Clearly those trying to get your online banking details are aiming to get access to your money. However, others could be trying to access your email, blog, instant messaging or online auction accounts (if you have any), then use these accounts to distribute more phishing emails.

Described image
Figure 12 Phishing: fooling someone into giving away secret information
Show description|Hide description

This is a cartoon strip with four pictures. It shows an online exchange between one person (shown in the first three pictures) and three people shown in an office in the fourth picture, two of whom are wearing peaked caps.

The first picture shows the single person reading instructions from a computer screen. The instructions say ‘Email account setup. To verify your identity, we need to ask you a question nobody else could answer.’

The second picture has a question and answer, saying ‘Q: Where are the bodies buried?’ The person starts to type an answer of ‘Behind the’.

The third picture shows the person has stopped typing and is thinking.

The fourth picture shows the three people reading what the first person types. The answer they see says ‘Behind the … Nice try.’ One of the three responds with ‘Damn.’

Phishing: fooling someone into giving away secret information

If you have a job that provides you with an email account then you have probably also seen messages claiming to be from your company’s IT department, asking you to enter your username and password into a website to reset your email account. I’ve certainly had them sent to my Open University email account. As with requests for you to disclose your financial details, you should be careful when disclosing your username and password. A phone call to the relevant people in the company should be sufficient to find out whether or not the request is genuine.