<< BACK TO SUMMARY

The Old Phishing Hole

According to several sources, the fastest-growing cyber-threat this year is an activity called phishing. In a nutshell, phishing is an attempt to trick you into giving up personal information, which is then used for identity theft or other financial crimes. Here’s how it works:

You receive an e-mail that appears to be from a financial institution, your ISP, a major retailer or some other agency that you do business with and are likely to trust. This e-mail tells you there is some problem with your account, and you must log in and verify or re-enter certain information, like your credit card number, passwords or social security number. The e-mail even contains a convenient link that takes you right to the agency’s web site, or so it seems. The industry group that tracks these crimes says that 15 out of the top 20 phishing scams pose as a bank or other financial institution. Earthlink, AOL, Ebay and PayPal are other popular targets.

Quite often, the e-mail will contain obvious spelling or grammar errors, because the criminal has a native language other than English, or because like most criminals this one is somewhat stupid. But not always. Some of these phishing letters and web sites appear amazingly authentic. The e-mail address appears correct (it’s spoofed, of course) and the browser shows the correct URL for the agency this is supposed to be. It’s actually a graphic that is positioned on top of your browser’s real address bar, but you wouldn’t know that to look at it. No matter how authentic it may appear, if you respond and give the crooks the information they seek, the next step is to clean out your bank account, run up your credit cards or open new credit with your stolen identity. It will be an unpleasant mess, any way you look at it.

So, how can you protect yourself against this?

First of all, do not under any circumstances click the link provided in the e-mail, and do not reply to the e-mail either. You can be sure that no legitimate institution will ever ask to you to respond to an email (or a phone call) and give personal information that they are already supposed to have. It just isn’t done. However, if you feel the need to confirm this, you can contact the agency by typing their URL into your browser, not by clicking a link, or you can call them. But don’t use a phone number that’s provided in the e-mail.

This might all seem like just common sense, but one thing that makes phishing work is that it almost always starts out with alarming news. Your account will be closed, or someone has already stolen your identity or opened a fraudulent account in your name. Whatever the story, it’s something that’s upsetting that needs to be handled right away. It’s easier to do the wrong thing when you are a slightly rattled and in a hurry, and the e-mail makes it even easier still with the phony link.

There is a variation of this that targets online businesses using greed instead of fear. The e-mail claims to have deposited a large (but believable) amount into your PayPay account for whatever goods or services you are selling, and they just need you to log into PayPal to confirm receipt, using the handy link. Of course, once they have your login info that PayPal account will be cleaned out faster than you can say “What happened?”

If it’s any consolation, these financial firms and other businesses being mimicked by the phishers are even more concerned than you and I, because they usually wind up holding the empty bag at the end of the day. A number of them have formed an organization to combat the menace and keep the public informed. It’s called the APWG, for Anti-Phishing Working Group. Earthlink is one of the members, and they are offering a free browser toolbar that alerts you before you connect to a known phishing website. It’s available to everyone, Earthlink customer or not. You can check out the APWG website and download the toolbar here:

http://www.antiphishing.org/index.html

There are a couple of close cousins to phishing that we might as well mention while we are on the subject. One of them is an email announcing a Microsoft patch or update that you can get by clicking the link. Just be aware that Microsoft does not announce their patches this way, and it is a pretty sure bet that if you click on that link, something bad will happen.

The other one is the old Nigerian scam, where an email claims that the sender has come into millions of dollars in some questionable way that makes it difficult for them to get it out of their country. If you help them get it into the country, they will give you a healthy percentage of it, definitely enough for you to quit your day job. They just need your bank account information to transfer the money, or they need a cash advance from you to bribe the appropriate officials. It ain’t gonna happen, folks. There may very well be individuals in Nigeria coming into large sums of money in questionable ways, but I am quite sure they do not announce that fact to strangers over the Internet.

With a little bit of caution and common sense you should be OK, but there is another small step you can take to help bring these cyber-crooks to justice. If you get a suspicious e-mail that looks like a phishing expedition, forward it to the company or agency it is pretending to be from, or send it to APWG, or both. Everyone who might have gotten scammed but didn’t will owe you a debt of gratitude.

Disclaimer - The Micro 2000 Tech Tip is a free service providing information only. While we use reasonable care to see that this information is correct, we do not guarantee it for accuracy, completeness or fitness for a particular purpose. Micro 2000, Inc. shall not be liable for damages of any kind in connection with the use or misuse of this information.