In mid December the Italian Data Protection Authority (hereafter IDPA) in the framework of information items aimed to the raise of awareness in the privacy, edited a new schedule about phishing
Phishing is a form of scam made on the Internet through deception of users, and is an unlawful technique used to steal confidential information about a person or a company – like usernames and passwords, access codes (such as mobile phone PIN), bank account numbers, ATM and credit card data – with the ‘intention to carry out fraudulent transactions. Phishing is performed by sending an e-mail message in appearance from the service provider or by the creation of web pages, always referring to the manager, whose purpose is to steal personal data of the customer, to be used for payments with sums withdrawn from his/her account or to transfer the amounts over other accounts. IDPA underlines that the identity thief appears as an institutional entity (e.g. bank, manager of credit cards, public authority, etc.) inviting the potential victim to provide personal information to solve particular technical problems with the bank account or credit card, to accept contractual changes or promotional offers, to manage the practice for a tax refund, etc.
Usually, phishing e-mails arrive to end users via spam e-mails; deceptive links in some cases do not refer to a copy of the original site, but directly to the actual site of the subject – where it has been previously added a pop-up by the fraudster through abusive computer access. The function of this pop-up is to ask for confirmation, the data of the connected user. Once inserted, the data will be available to the phisher.
According to Italian Crimanal Code the Phishing crime is not specifically provided. As a general rule, the relevant conduct may be punished under Art. 615-quater. (Illegal detention and diffusion of access codes to computer or telematic systems) or Art. 640 (Fraud) of the Code, or under Art. 171. Law 22 April 1941, n. 633 as amended (copyright protection); the same crimes may also be charged as cumulative since the indictment is determined according to the criminal conduct implemented by phishers.
As suggested by IDPA, the main defense against phishers is common sense. Further solutions may be installing and keeping updated on your PC or smartphone anti-virus programs against phishing, protective systems updated to automatically take in spam most of phishing messages, setting complex alphanumeric passwords, changing them often and choosing different credentials for each service used: online banking, e-mail, social networks, etc. unless you have strong authentication systems.
Can we consider such countermeasures as sufficient? First of all, it shall be determined what we are defending, and against whom.
For more details, please refer directly to the IDPA link
Avv. Laura Marretta