Term „phishing“ represents activities by which unauthorized users try to persuade the user to disclose confidential personal data (usernames and passwords, PIN numbers, credit card, numbers, etc.) through a different sub-item of e-mails and falsified websites of financial organizations.
In today s world when communication via the internet, like for example: internet banking, is becoming everyday and when large corporations reduce their financial business to the described type of cooperation, the so-called „Phishing attacks“ pose a huge risk in business. Although the term „phishing“ first appeared in 1996, it only became recently known to the wide public, mainly due to the extraordinary increase in unauthorized activities of this type.
Interception of communication between client and server is one of the most common techniques for accessing confidential user information. By inserting into the communication channel, established between the client and the server, an attacker is has the possibiliy to analyze the complete traffic which is exchanged between these two sides, even when encrypted communication is used. Thus, the application of „Man in the Middle“ (MITM) attacks is almost ideal for conducting phishing attacks. For the successful realization of the attack, the client needs to be redirected to a malicious address through which the traffic will be further redirected to the legitimate web servers of the financial institution that wants to be falsely displayed. In this case, the attacker s computer performs the function of a proxy server, recording all the data necessary for the further implementation of the attack.
Given that this is a problem that is increasingly gripping financial internet transactions, it is necessary for users to take certain mechanisms to protect themselves. The following mechanisms have a preventive nature and include: server-side protection and service provider applications, user education, strong user authentication, secure web application development, mail server security, antivirus protection and user caution.
If a phishing attack has already taken place and you want to defend your rights, it is necessary to assess the damage, the harmful consequences and determine the contribution to the damage, which is considered in each specific case. Therefore, when it comes to further steps and exercising the rights based on the above, it is necessary to analyze all the important facts, of which the moment of the phishing attack is particularly relevant. In conclusion, there is still no adequate legal protection and relevant legal framework in the acts of Bosnia and Herzegovina because it is a type of cybercrime that is a relatively new concept for the competent institutions and which is only the target of research and study.
