Tuesday, June 2, 2009

Phishing for Trouble

I think it started with the airlines. It may actually have begun with the late lamented www.shopforless.com, but I think it was the airlines. Whoever may have been the first to offer online payment on websites in Nigeria, they were faced with a society that was sceptical about providing financial information online.


When the banks started offering MasterCard services, they were initially adopted by people with international exposure who had been chomping at the bit for a payment mechanism to use online or on trips abroad. These people could not open accounts in the US or Europe and get credit or debit cards and so were eager to take advantage of these new services. Slowly this led to increasing awareness and confidence in the populace that payment systems could be locally supported here in Nigeria. By the time InterSwitch and eTransact cards became part of the national idiom they met a significant part of the populace who were not only willing to shop online but demanded web-based services.

I think the airlines helped the most. The convenience of booking, making payments, rescheduling flights without having to go to the airport or the bank or calling up a travel agent cannot be quantified. My wife lived through this particular evolution and was an ardent evangelist of this at a time when even vastly more technologically-oriented people were not even aware that these online fulfilment systems were even available.

Phishing Means You’re Bait

Aside from the ecommerce sites, the banks have rolled out a range of services on the internet. These include passive services like checking transaction histories, and active services such as funds transfers, cheque confirmation or revocation as well as utility payment systems. InterSwitch itself has a site where you can pay several different bills from service providers such DSTV and Zain on your PC or your internet enabled mobile phone. With all this and a host of ecommerce products and services now available Nigeria, like most of the world, is swinging through the lush forests of ecommerce.

Unfortunately, here there be tygers.

Internet criminals are now plaguing Nigerians and our own home-grown ecommerce and online payment systems like they do international products and services. There are a variety of criminal mechanisms designed to fleece people of their money, one in particular bears discussion. It is known as phishing. The word is a corruption of the English word “fishing”. Perhaps the concept of a fisherman dangling his bait in the water waiting patiently for a victim to swim by is the basis for this usage. Using Wikipedia’s definitions:

“In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging,[1] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake.”

More Than Meets the Eye

Earlier this year (or was it late last year) a phishing scam email was going around in which people were told that InterSwitch was upgrading its systems and needed owners of InterSwitch cards to go to a website (a link was provided) and enter their card number, expiration date and PIN. Anyone who did this would have ended up giving their card details to criminals who would have used the information to rapidly make purchases for goods and services online to the limit of what the person had in their account. A screenshot of the scam message is included below as an example.


Image courtesy of Spam Email Graveyard

The example is typical of the scam. It purports to come from a well known organisation. It puts you under time pressure, makes you afraid that if you don’t take action, you may lose access to something important and it provides you with a link to go to. While simple, this is also powerfully effective. In particular, note the link in the image. It is actually a perfectly legitimate InterSwitch link. However if you were to click on it, the code behind the text would take you to a completely different page. In this case you would have ended up at the link below. image

Some links in other spam messages may not be this well done and may be variation of the legitimate address. So for example “interswitch-ng.com” could trick some people.

Because of phishing scams too many Nigerian sites have some kind of warning as a pop-up or other kind of fraud alert message on their web pages. InterSwitch has one. As do Guaranty Trust Bank, MTN and no doubt everyone else worth their salt. imageOften ugly and distracting from the overall web experience, but like the metal bars on our windows and the spikes on our fences, they are unfortunately necessary. Despite these efforts many are still taken in by this and other “social engineering” scams.

Phishing scams are not always internet based and many play on the baser human instincts. For instance a popular warning in the Nigerian media from the phone companies is around scams that send you a text message telling you that you have phone something from the provider and you need to send a recharge card PIN to the number provided to claim the prize.

Breaking the Line

So how do you avoid becoming a victim of a phishing scam?

The very first thing is to NEVER EVER click on a link in an email message you receive that has some of the characteristics I have described. Instead open a browser and type in the LEGITIMATE address your are familiar with for the service. So if I received such a message claiming to be from GTBank for instance, I would go my browser and type in www.gtbplc.com rather than clicking on any link. If the email was truly from that site, there would be some information on the website, usually on the home page, if it is general message to its user populace. It will be within your account pages if it is a specific message to you.

Secondly, use a modern web browser. The latest versions of Microsoft Internet Explorer (version 7 and above), Mozilla Firefox (2.0 and higher), Google Chrome (all versions) and Opera all have in-built tools that provide some level of protection against phishing attacks. The internet security versions of some popular antivirus tools such Norton Internet Security also add their own phishing protection to the common browsers.

Using a spam filter (a tool that removes unsolicited email messages from your mailbox) also provides some level of protection. The public services – Hotmail, Gmail, Yahoo! Mail and their like – have inbuilt spam filters and most organisations that host their own email have invested in them. However spam filters and phishing protection tools are not 100 per cent reliable.

Continuous vigilance is needed in order to avoid becoming a victim of such scams. Treat the internet with the enjoyment and the same wariness as the Balogun market. Revel in the rich variety of goods, sites and sounds, but keep your eyes peeled and your pocketbook tightly clasped to your side.


My sympathies go to the families of the victims of Air France Flight 447. May they find comfort in God as they face this.