and Tools for Avoiding Online Identity Theft
Contributor: Examination Specialist David M. Nelson, Cyber Fraud and
Financial Crimes Section, Federal Deposit Insurance Corporation
Most experts agree that using “layers” of computer security
is the best way to control your risks on the Internet. No safeguard
is perfect every time, so you should have a few layers of protection
when you are using the Internet. Take for example your own home
security: as a prudent homeowner you protect your home and family in
You maintain the plumbing and electrical wiring to reduce
hazards. You lock the doors and windows, and you have smoke
detectors installed in the appropriate places. Perhaps you also have
an alarm system. If things go wrong, you have a fire
extinguisher, and the whole family has been taught to call 911 and
flee to safety to a neighbor’s house. You have insurance as the
final layer of security to help pick up the pieces after a mishap.
Cyber security works the same way. Having only one security tool is
not enough – you will need a few layers of security to protect
yourself from becoming a victim of Internet fraud (don’t put all
your eggs in one basket).
FRAUDSTERS GAIN ACCESS TO MY COMPUTER AND PERSONAL INFORMATION?
Internet criminals can steal your personal and banking
information without you ever noticing – they can do it while you’re
online shopping, playing games, reading email, or just browsing
is when fraudsters send an email pretending to be a bank or other
trusted source and ask you to confirm your personal information. A
link in the email connects you to a phony site that looks just like
the legitimate one. Pharming
– an even sneakier way that fraudsters can
gain access to your computer and personal information – uses
malicious programs that can get installed on your computer when you
simply click on a link in an email or view an image on a web page.
When you type in the address of your banking, brokerage, or favorite
shopping site, these programs redirect you to a counterfeit site
that looks just like what you are used to seeing. Hackers
can also find and use "vulnerable" applications on your PC,
like music or video players, to access your data and take control.
HOW DO I PROTECT
MYSELF FROM THESE THREATS?
Anti-virus and anti-spyware software, surge protectors,
firewalls, and email spam blockers are good basic tools that all
home users should know about and use. There are also tools available
online that can detect when you are being phished or pharmed, and
prevent your information from being lost by automatically checking a
website and visually alerting you if something is not right. Many of
these tools are free and easy to use. They include anti-virus
software, verification engines, security toolbars, anti-phishing
toolbars, personal firewalls, and even Web browsers that have
anti-fraud warnings built in.
One tool that is easy to use and provides an extra layer of
protection is a
verification engine, which double checks Web sites'
digital certificates. These certificates (indicated by a padlock or
key symbol on your screen) are supposed to show that the Web site
uses approved security measures to protect sensitive information you
provide, such as your account number, as it travels over the
Internet. However, the security symbols can be faked, so it's
important to ensure that the name that the certificate was issued to
matches the name in the Web address. When installed on your
computer, the verification engine can tell you if the site you’re
visiting is the real site or someplace where you may want to use
caution. You can find and download a free verification engine at
kind of security tool, called a site advisor, checks Web sites that
you visit against a list known for adware, spyware, spam, and
phishing. For more information, go to
Dual authentication is a way to verify that you are logging
onto the correct Web site. As an example, Yahoo! offers a free
“sign-in” seal or secret message that is displayed on the computer
screen so users can verify that they are logging in to the Yahoo Web
site to shop or read email instead of a pharming or phishing site.
This works only on sites where you have an account set up. You'll
need to choose a seal or message for each computer that you log in
from, or you may need to answer some additional questions if you
try to log on from a different location. Many financial institutions
are adopting security seals along with security question to help
consumers avoid pharming or phishing attacks.
Two-factor authentication is now being used by financial
institutions and online e-commerce sites. Usernames and passwords
alone are no longer strong enough to protect against Internet
threats like key loggers. Most security experts agree that having an
additional layer of authentication is the best way to protect your
online financial accounts. One example of strong two-factor
authentication is the one-time password token now being offered by
PayPal, a popular online payment processor, for $5. The key
chain-sized token generates a 6-digit number that is used in
combination with a user ID and password to log on to the account,
which makes it very difficult for phishers to gain access to an
Another helpful layer of protection is offered by
that work as part of your Web browsers. Some security toolbars block
fraudulent sites and
allow users to easily report suspicious sites. Two examples of this
type of toolbar can be found at
Web Browsers with
Built-In Anti-Fraud Functions
The Microsoft Internet Explorer 7.0 web browser has
built-in anti-fraud functions that warn users that they may be
visiting a fraudulent Web site. You can find out more at
Firefox 2 also has a “black list” default function like
Internet Explorer that alerts users of known phishing sites, but
unlike Internet Explorer 7.0 it does not scan Web pages or URL's
looking for telltale signs of fraudulent sites. The Opera Web
browser has added anti-phishing and anti-fraud features to its
latest version, Opera 9.1. It can be downloaded for free at
Since several layers of protection work best, consider
anti-spyware protection. Spybot Search and Destroy is free software
that identifies the most common kinds of software that track your
online activity and helps you to remove them. Go to
can also get on your computer, hide, and allow a remote hacker to
control your machine. If you are considering a free anti-rootkit
program, check out Sophos Anti-Rootkit at
program requires some expertise and may not be appropriate for many
One simple way to keep unwanted software from being
installed on your computer is to restrict user access levels. Set
up one separate password-protected “Admin” account on your PC for
adding and removing programs and other sensitive functions. For
routine online activities, set up and use “limited” user accounts
for all users who will be surfing on the Internet. Unwanted spyware,
rootkits, and Trojan Horses can not be installed on your computer
without the “Administrator’s” permission. You can set up admin and
limited user accounts by using the “Control Panel” function on
Windows and “System Preferences” on Apple Macintosh.
WHAT DO I DO IF I
DETECT A FRAUDULENT OR SUSPICIOUS SITE?
If you do detect a fraudulent or suspicious Web site, you
can report it so that it will be investigated.
help you determine if a site is a known phishing place, and enables
you to register and report questionable sites for investigation.
another Web site to which you can report suspicious URL's for
TIPS TO PROTECT
In addition to installing tools on your computer to protect
yourself, keep the following tips in mind:
When entering sensitive information (bank account numbers, credit
card information, social security number, mother's maiden name)
online look for “shttp://” or "https://"
in the address line of your browser. This means information is being
Never click on a link in an email directing you to a Web site.
Manually type the Web site address into your browser to be sure you
are not misdirected.
prevent pharming, use anti-virus and anti-spyware software and be
sure to keep them up to date.
Don't give out personal information unless you've initiated the
contact or are sure with whom you are dealing.
Look for Web site privacy policies. They should answer questions
about maintaining accuracy, access, security, and control of
personal information collected by the site, how the information will
be used, and whether it will be provided to third parties. If you
consider doing business elsewhere.
Learn more about cybersecurity. In addition to the National
site, there are many other resources. The Federal Deposit Insurance
Corporation offers a free CD-ROM about how to keep your computer
secure which you can order at
The National Cyber Security Alliance,
the Federal Trade Commission,
and the Internet Education foundation,
provide general advice about online safety and security. There are
also commercial sites, such as
that offer software reviews. Some security software is free or
offers free trial periods.