Posted by: Barracuda Labs
With the increased awareness and attention around incidents of identity theft, consumers are becoming more vigilant in how they provide personal information online. At the same time, businesses that require such information to complete a transaction also must evaluate how they collect that information online from consumers.
For example, a colleague recently forwarded the email below from Southwest requesting personal information to complete the Transportation Security Administration’s (TSA) Secure Flight verification. Because the email was sent after the flight reservation was booked, it was unclear to the recipient whether or not the email was legitimate. Upon examination, it is clear that this is a legitimate email from Southwest; however, it is one that could easily be forged by a spammer or hacker attempting to collect a user’s personal information.
As people are making final travel arrangements and gift purchases online in this last week leading up to the holidays, Barracuda Networks has compiled a number of tips to help consumers discern legitimate emails and Web sites from malicious attempts, as well as recommendations for businesses to better serve their consumers online.
Online consumer safety:
1. Real or fake? Do not click on links included in an email. Instead, type the address directly into your Internet browser.
2. Email security and anti-virus solutions up-and-running. Make sure you have a strong email security solution in place that can block spam and phishing emails as well as detect and block viruses and other malware (including malicious Web links) contained in the email. As an extra precaution, make sure your desktop anti-virus protection is up-to-date and running. This will keep any viruses/malware not sent over email from infecting your computer or adding you to a larger botnet.
3. Strong Web filtering. Having a strong Web filter in place will allow you to block access to potentially dangerous Web sites. Web filters can block downloads by file type and applications that access the Internet (i.e. IM, music services, etc.) that are often used by hackers as a means of transporting malware onto your computer.
4. When in doubt, check it out. If you receive an email from a business that you recently have done an online transaction with – retail, bank, airline, etc. – and are not sure of its authenticity, check it out. Call or email the business to verify that the request is legitimate. Also, you can go directly to that company’s Web site to look for warnings listed of recent Web scams that have targeted the business.
Helping businesses serve customers:
1. On-site, at-once. Request all necessary customer information at the time of purchase, while the consumer is on the Web site. In the case of the Southwest email, if the consumer had been directed to the “MySouthwest Account” to provide this information at the time of flight reservation and purchase, it would have expedited the process for the consumer and eliminated the need to send a follow up email that raised the suspicion of the recipient.
2. Avoid follow up email. Consumers are likely to be more suspicious of emails requesting that they log back into – or create – an account to provide personal information.
3. Provide clear instructions. If sending a follow up email to complete the transaction is unavoidable, provide a clear message to the consumer at the end of the initial online transaction – before they leave the Web site – so that they know to expect an email that will require additional information and what that required information will be.
5. Protect customer information on your site. Businesses are responsible for ensuring that the customer information that it collects online is protected from those with malicious intent. Implementing a strong Web application firewall protects the business Web site from being hacked and customer information from being stolen.
The underlying goal here is to enure that businesses that legitimately require user information receive it in a timely and secure fashion. That will keep the bad guys out of consumer’s wallets and bank accounts, and from stealing their identities.
If you look at the email you will see that we have identified the hyperlinks take you to a legitimate Southwest domain. We know it is a legitimate Web site because the URL contains the Southwest domain.