Identity Theft
This includes a multitude of sins, ranging from the irritating to the criminal, but all relate to a malicious user passing themselves off as someone else, using the anonymity of the Internet.

At the 'softer' end of the scale this would include users on Internet forums registering themselves with names almost identical to that of an existing user (differing perhaps only with the addition of a full stop, for example), then posting messages whilst purporting to be that user. Whilst not directly damaging, this clearly has potential to cause much conflict for the impersonated person.

Information on how to protect against identity theft can be found from the following Home Office website at http://www.identitytheft.org.uk/

Phishing
More worryingly, there has been a significant increase in identity theft scams which attempt to obtain users' personal details, particularly financial information. These are known as 'Phishing' (pronounced as 'fishing'), literally putting out some bait in the hope of catching unwary users.  An example of a typical email-based Phishing scam is shown below:

Click to enlarge

This is a good example, since it demonstrates the typical approach:

• It appears to be from a reputable financial institution or company (other scams have targeted eBay and PayPal).
  
  
• It claims to be as a result of changes to data - typical excuses include:
  • Updates to software
  • Failed backup
  • Database errors
  • Power outages
  • In response to an attempted intrusion by a hacker (!)
    
    
• The user is asked to follow a link and "confirm" their details.
  
  
• A reasonably convincing-looking URL is provided as the link.

There are a number of simple, common-sense steps that you can take to protect yourself from scams of this nature:

• No legitimate company or organisation should ever ask you to confirm login or financial details in this manner - if an email asks you to do this, you should immediately be suspicious.
  
  
• Do NOT click on the link in the mail, as this can easily be made to look legitimate. In the example above, although the URL appears to point to http://www.woolwich.co.uk, it actually sends the user's browser to a completely different site.
  
  
• Visit the website of the company it purports to come from (it may be necessary to perform a web search to find out what their address is). In many cases, they will be aware of the scam and will have a prominently displayed notice on the home page about it. This is certainly the case with the example above - even though it is several months since the email at the time of writing, the front page of the real Woolwich site has a security warning about it.
  
  
• Spelling or grammatical errors may point to it being false (although official emails can still contain them).

If you are concerned, particularly if it is financial in nature, then two single pieces of advice will protect you in almost all cases:

1. Contact the organisation through some other means (for example, telephone) and ask if it originated from them. Do NOT use any phone numbers quoted in the email, as these may also be false.
   
   
2. Under no circumstances should you do as the email asks and pass on personal information - legitimate organisations will always have these.

For more information about Phishing, refer to the Anti-Phishing Working Group (APWG) website at http://www.antiphishing.org

You can also subscribe to a newsletter from the SANS (SysAdmin, Audit, Network, Security) Institute called 'OUCH', which lists current threats and scams, and is written towards a target audience of end users rather than IT experts, which may be useful to distribute to users at your establishment. Visit http://www.sans.org/newsletters/ to subscribe to this service.