Last week I unexpectedly received an email purporting to be from Suncorp Bank. In the last year or so of banking with Suncorp and using their online banking system countless times, I don’t ever recall receiving an email from them about anything.

It doesn’t surprise me that I haven’t received an email from Suncorp before, given the prevalence of phishing attacks these days. For those unaware, phishing is an attempt to fraudulently acquire personal information from someone by getting them to enter it into a web site that looks familiar, that is in fact just a shallow replica of a real site. Phishing attacks are one of the reasons you’ll read and hear major institutions state that they will never ask you for your username and password, ever.

Just to checkout what the latest phishing attempt looked like, I thought I’d investigate the email to see if the spammers had gotten any smarter over the years. First thing I noticed was it was from an email address that was clearly related to their online banking system and at the correct domain. Secondly, the subject had to do with BPay – so I though how fantastic that the spammers now use brands or products related to the local country to garner trust with the user.

After opening the email, I suddenly realised that the email was legitimate and I couldn’t believe it! It turns out that Claire had just paid our rates online, through the Suncorp internet banking web site using BPay. The email was a notification, to let me know that a large payment had just been processed and if I hadn’t arranged it to call them immediately.

What I love about the email though:

1. The subject was clear, it was a BPay notification
2. They sent it to both of the email addresses I’d provided Suncorp, not just my primary one in case I didn’t check it immediately.
3. It was a plain text email, so no fancy images or design – just the message. That meant that you needed to read the content of the email to see what it was about and not blindly clicking on something because it used the familiar Suncorp branding.
4. The first line stated what it was about (high value BPay transaction), the second contained what action to take (phone Suncorp) and for full details you could check the transaction on their site.
5. Suncorp include their business name, address, ABN, contact information in the footer
6. Most importantly, there isn’t a single hyperlink anywhere to be seen in the email. As such, you can’t just ‘click the obvious link’ to go to their site.

A lot of the things above seem pretty small things to a lot of people, however I’m really impressed that they’ve chosen a lot of those options – especially the plain text email. Nefarious individuals and companies that use phishing attacks prey on people reacting to a familiar company and brand, such as from their bank to take an action. By providing it in plain text, it removes the familiarity aspect away to make you read the email. By not providing any hyperlinks, you need to open your browser yourself and go to their web site.

All round, a great email from Suncorp and they should be congratulated for doing their part in helping keep their clients information private and their money safe. If I were to make a single change to it, it’d be to remove the phone number and direct the user to their web site (no hyperlink) to get the phone number if they don’t already have it on hand. That way, all of the contact information needs to be entered by the user on their own behalf, which would all but remove the risk of a phishing attack.

With the explosion of the internet in the last ten years and the ever increasing use and reliance on it to perform our every day life and work, it has become more important than ever to consider your personal security online.

The overwhelming majority of internet users have no idea at all about the steps required to help protect their personal information online. This can be seen by the massive surge in identity theft in the last five years, which is happening online and offline.

To help combat that epidemic, below are my top recommendations to lower your risk of identity theft and improve your online personal security:

1. Don’t Share Your Account Information
   Just like your PIN number on a debit card or your credit card number, don’t share your account information for with anyone. If you have in the past, regardless of how much you might trust that person – make a point of changing your password as you don’t know how lax they have been with your personal information.
2. Don’t Reuse Your Account Information
   People hate having to remember different usernames and passwords for different web sites. However, reusing your account information from one site on another puts all of your online accounts in serious jeopardy if someone tries to attack your identity online.
3. Create Different Accounts For Different Purposes
   For most people it is hard enough to not reuse your account information across literally dozens of different online accounts. However, if you can’t manage a unique set of credentials for each web site – at a minimum group the web sites by type (email, social network, banking, online shopping, ..) and use a different set of credentials for each site. At least if someone gains access to your Facebook account, they don’t automatically get access to your bank accounts.
4. Choose Strong Passwords
   Just like people hate having to remember different usernames, people hate having to remember different passwords. This leads people to using a simpler password, in the hope that they’ll be able to remember it. That mental stumbling block is the perfect attack point for an average user, as their password will probably be a dictionary word or another simple combination of characters such as ‘12345’. When creating a password, regardless of whether it is for an email account, social networking or an internet banking account – it should contain lower case, upper case, numbers, special characters and be at least 8 characters long. I know that sounds like a lot of hoop jumping but there are simple ways to remember a complex password, such as using a memorable phrase and replacing a few characters within it.
5. Reduce The Number Of Online Accounts
   With the creation of the authentication protocol OpenID, web site developers now have the ability to allow clients to create a new account without having to worry about managing yet another password. Instead users can signin using an existing account such as a Google, Microsoft Live, Yahoo!, AOL and many more. By signing up using an OpenID enabled account, you have one less password to remember and when you change your password – it is changed on all sites that are linked to it. It might seem as though using OpenID contravenes points 2, 3 and 4 above however it doesn’t because you can create one more OpenID accounts and use a strong password on each instead of something simple like your pets name.
6. Ensure You’re Using HTTPS
   If you’re logging into a site or disclosing your personal information online, make sure you’re currently viewing that web site in HTTPS. The ‘s’ in HTTPS stands for secure and it uses high strength encryption to keep your personal information private when transferred from your web browser to the web site in question. If you aren’t viewing it site in HTTPS, your personal information is transferred across the internet in clear text that anyone could potentially read.
7. Practice Minimal Disclosure
   The internet is a public medium, once you put your personal information out into the public realm – it could very well remain their for the foreseeable future. That means that anyone that might be inclined to go looking for information about you can find it with ease. With that in mind, you should make a point of only ever publishing as much information about yourself on a web site as you’d be happy to have displayed on a billboard beside a busy motorway.
8. Consider Using A Password Manager
   If you do have dozens of different accounts and you cannot keep up with it all, consider using a password manager. You can generate a strong, high complexity random password for every site you create an account on and store it within your secure password manager. If and when you need to signin to that site again, simply look it up within the password manager. If you don’t want to use a standard desktop password manager like KeePass, there are also some fantastic secure password managers which provide web browser integration such as LastPass.
9. Your Email Address Isn’t Your Username
   If a web site doesn’t support OpenID but it does allow you to create a username that isn’t your email address – you should take them up on that offer. While convenient, your email address isn’t your username and can lead to issues in the future if you lose that email account. A friend of mine signed up to Amazon using their Hotmail account and it was previously used by another person but expired. Once signed in, my friend could see all of the previous owners personal information they’d provided Amazon, including name, address, purchase history and more.
10. Shared Computer Access
    If you’re in a position where you use a computer and it is shared between a number of different people, either at home, work or elsewhere – always remember to clean up after yourself. Most web browsers have the ability to remember usernames and passwords for convenience. However if you’re using a shared computer, you could be leaving your account information laying around for someone else to pray on. An easy solution for this is to simply clear all the temporary internet files when you’re done or before logging out of the machine. If that seems like it is too much hassle, the latest versions of Internet Explorer, Firefox, Chrome, Safari and Opera all provide a privacy mode or private mode which won’t keep any history of your activity while it is enabled.

While there might seem like a lot of things above to consider, those ten items certainly aren’t the only things you can do to improve your identity management process. In a future post, I’ll talk about how you might go about implementing some of my recommendations above so you can take the first step, which is often the hardest.