Anthem’s security breach: How to defend against Phishing attacks

Last Wednesday, an Anthem employee noticed a suspicious database query taking place inside the company’s network. The query was suspicious because no one triggered such a request.

This was indeed an attack on Anthem’s database. The hackers managed to steal information such as names of the insured, dates of birth, social security numbers, addresses, phone numbers, email addresses and employment information.

It appears that Anthem has warned their customers about a phishing attack where an email that looks like it’s coming from Anthem asks the users to click on a link in order to get an ID supposedly for better security.

(You should never click or respond to these phishing emails)

What is a phishing attack?

A phishing attack is when you receive an official-looking e-mail from an online banking or financial institution or any other large company that is usually considered trusted. The e-mail states that you should click a link and confirm your login and password or enter your card number or account number to this particular institution.

As soon as you click on the link, you are sent to a Web page that looks remarkably similar to the company’s real Web site, while what is really happening is that you are sent to a fake page that is controlled by the criminal who is behind the phishing scheme. As soon as you type your login\password or account information or credit card number, the thieves capture the information and then commit identity theft by using your credit card or stealing money from your account.

So what can I do?

While companies should use better protection against such attacks, in fact the users can protect themselves on their part.
Here are steps that can help significantly reduce the risk of phishing scams:

1. Do not click on hyperlinks in e-mails – It is never a good idea to click on any hyperlink in an e-mail, especially from unknown sources. You never know where the link is going to really take you or whether it will trigger malicious code. Some hyperlinks can take you to a fake HTML page that may try to scam you into typing sensitive information. If you really want to check out the link, retype it manually into a Web browser.

2. Keep your Anti-Virus up-to-date – One of the most important things you can do to avoid phishing attacks is keep your Anti-Virus software up-to-date because most Anti-Virus vendors have signatures that protect against some common technology exploits. This can prevent things such as a Trojan disguising your Web address bar or mimicking an HTTPS secure link. If your Anti-Virus software is not up-to-date, you are usually more susceptible to attacks that can hijack your Web browser and put you at risk for phishing attacks.

3. Take advantage of Anti-Spam software – Anti-spam software can help keep phishing attacks at a minimum. A lot of attacks come in the form of spam. By using Anti-spam software you can reduce many types of phishing attacks because the messages will never end up in your mailbox.

4. Use Anti-Spyware software –Keep Anti-Spyware down to a minimum by installing an active spyware solution and also scanning with a passive solution. If for some reason your browser is hijacked, Anti-Spyware software can often detect the problem and provide a fix.

5. Verify HTTPS – Whenever you are passing sensitive information such as credit cards or bank information, make sure the address bar shows “HTTPS://” rather than just “HTTP://” and that you have a secure lock icon at the upper or bottom corner of your Web browser. You can also double-click the lock to guarantee the third-party certificate that provides the HTTPS service. Many types of attacks are not encrypted but mimic an encrypted page. Always look to make sure the Web page is truly encrypted.

6. Get educated – Educate yourself on how to prevent these types of attacks. A little research on the Internet may save you a great deal of pain if you are ever the victim of identity theft. You can report any suspicious activity to the FTC (in the U.S.). You can also file a phishing complaint at www.ftc.gov. Another great resource is the FTC’s identity theft page to learn how to minimize your risk of damage from ID theft. Visit the FTC’s spam page to learn other ways to avoid e-mail scams and deal with deceptive spam.

7. Keep your system and applications up-to-date –By keeping your computer updated, you will protect your system and applications against known exploits that can be used in phishing attacks.

8. Use a desktop (software) and network (hardware) firewall – The incorporation of a firewall can prevent malicious code from entering your computer and hijacking your browser.

9. Keep a backup copy or image of your computer in case of foul play – You can then revert back to a pure system state if you suspect that a phishing attack, spyware, or malware has compromised the system.

10. Don’t enter sensitive or financial information into pop-up windows – A common phishing technique is to launch a bogus pop-up window when someone clicks on a link in a phishing e-mail message. This window may even be positioned directly over a window you trust. Even if the pop-up window looks official or claims to be secure, you should avoid entering sensitive information because there is no way to check the security certificate. Close the pop-up windows by clicking on the X in the top-right corner. Clicking cancel may send you to another link or download malicious code.

11. Secure the hosts file – A hacker can compromise the hosts file on a desktop system and send a user to a fraudulent site. Configuring the host file to read-only may alleviate the problem, but complete protection will depend on having a good desktop protection software that protect against tampering by outside attackers and keep browsing safe.

12. Protect against DNS pharming attacks – This is a phishing attack that doesn’t spam you with e-mails but poisons your local DNS server to redirect your Web requests to a different Web site that looks similar to a company Web site. For example, the user types in eBay’s Web address but the poisoned DNS server redirects the user to a fraudulent site. This needs to be handled by an administrator who can use modern security techniques to lock down the company’s DNS servers.