Looking at the mail which was seemingly from his ISP asking him to update his account information I came to understand exactly how difficult it actually is for normal users to identify Phishing.
Not that the page was beautifully designed, but the attacker had really tried to make an effort to make the site look like the one of Etisalat.
As such not very different to any other phishing attempt I have seen recently.
If my friend would have continued to enter username and password the phisher-man in the other end would have been able to harvest username and password and from there one been able to login to the Etisalat website using the victims credentials.As such the Etisalat portal may not be too sensitive, but if my friend is anything like most other people he probably uses the same password for many different services
Btw…Etisalat is not at fault here, someone out on the Internet is simply just exploiting that they are a big company here in the UAE.
But it does raise the question on how do you identify a phishing attempt.
The golden rules that any users should follow:
Never ever enter your username and passwords unless you know who you are communicating with.

  • Check the address in the Browser bar – In the case today it is easy to see that you are not talking to Etisalat
  • Any login information should always be done over SSL/HTTPS
  • Verify the SSL-Certificate – It should be from a reputed Certificate Authority, especially if you are dealing with financial transactions.
  • Never click links in mails from people or organizations you do not trust…in fact any organization should think about how they communicate to individuals and formally communicate this.

Check the e-mail address of the sender:

  • If an e-mail arrives asking you for information make sure you check the e-mail address of who is sending you the mail – It should be from someone you trust

Be skeptical – Never trust anyone until you have checked
Phishing does not only happen on the internet – It could also be via phone, so if someone calls you asking you for personal details simply say that you will call back and contact via the formal channels and numbers.
Don’t trust caller information on the phone – This type of information can be changed and is not creditable.
And then finally…the one rule to rule them all…

– Something that is complex (10 characters or more is advisable today)
– Something you only know – Make up a way to remember passwords or keep them in a password safe
– A good password is unique – so no re-use
PLEASE: If you feel the burden of remembering multiple passwords are simply too big for you…at least make sure that critical services have unique passwords. There is no reason why your etisalat login credentials is the same as your bank!!!

I also hope that in the future we will see technologies coming out which allows true authentication, both of the client but also of the service.It is already available with advanced two-factor authentication solutions, but unfortunately the pain from password mis-management is still deemed smaller (or cheaper) then actually fixing the issue!