… it gave me a list of alleged security breaches and asked me to follow a link to EBay where I would reconfirm my account details. I actually got as far as entering my credit card number and security code before I noticed the lack of a padlock at the bottom of the browser…
Fortunately for Nim’, he immediately ran down the owner of the URL and canceled his credit card. Still, it is irritating in the least, and potentially financially catostrophic at the most. Imagine the poor church secretary who gets an email from what looks like a eBay, or Amazon, Citi Bank, Verizon or some other entity their church uses that says, click here or your credit will be ruined forever.
The email has the company’s brand or logo. It has an email address that contains the company’s brand name. It sound like it was written by someone who knows something about your account. Why wouldn’t an honest, hard working person get taken? And that my friend is exactly what these ‘phishers of men’ are hoping for.
What to do? Well here is exactly what the FTC, the nation’s consumer protection agency, suggests you do to help you avoid getting hooked by a phishing scam:
- If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don’t ask for this information via email …
- Don’t email personal or financial information. Email is not a secure method of transmitting personal information … no indicator is foolproof; some phishers have forged security icons (e.g. padlocks).
- Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
- Use anti-virus (and personal firewall) software and keep it up to date
- Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
- Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to firstname.lastname@example.org. If you believe you’ve been scammed, file your complaint at www.ftc.gov, and then visit the FTC’s Identity Theft Web site at www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft. Visit www.ftc.gov/spam to learn other ways to avoid email scams and deal with deceptive spam.
There have been times I have complained about my tax dollars at work, this is not one of them — the people at the FTC are correct. About the only thing I might add is to learn how domain names work, specifically subdomains – because most of the phishing schemes I’ve seen employ some sort an email address that includes some nefarious combination of a brand name for the subdomain such as ‘Amazon’, coupled with a slightly mangled $6.95 domain name such as ‘accountsrecievable.info’ to give you email@example.com.
This coupled with the company’s logo and whammo, while they may not get everyone, they’ll get enough. Which is it wouldn’t hurt to familiarize yourself with some of the basics with the Secure Sockets Layer, or in plain English, Nimrod noticed the lack of a padlock to the bottom left of his browser. SSL, as it it is otherwise known, is the protocol that reputable companies, such as Amazon, eBay and the like use when they take your credit card information.
Like all methods of security, you need to understand that no one single method is fullproof – you must layer multiple methods. For example, recently Secunia reported an Internet Explorer exploit that allowed the phisher to fake the padlock – while other schemers just go ahead and employ a cheap SSL certificate.
In my house, we have standing orders – no financial information is disclosed to unsolicited emails and phone calls, period. I’ve upset one bank by demanding a phone number that I could call back the following day – the assistant manager got upset that I was so suspicious – the regional manager of the bank was not so upset when I explained my demands. Likewise, when my wife got hit w/a Verizon phishing scheme via email, she called Verizon using not a phone number in the email, but the support number on our bill – whatta great geek girl I’m blessed with! Especially because the phisher had generated email addresses that broadcasted to a range of verizon customers (e.g. firstname.lastname@example.org).
Scared spitless? Best way to conquer fear is knowlege – and practice. Here are some links to get you started:
- Anti-Phishing Working Group – their mission is to provide a resource for information on the problem and solutions for phishing and email fraud.
- Microsoft (the Internet Explorer people): Phishing scams: 5 ways to help protect your identity
- Wikipedia on password harvesting fishing
- Phishing for dummies: hook, line and sinker – “Couldn’t happen to tech-savvy users, right? Unless you consider how entire nations have been fooled.“
I realize this is somewhat out of context — though to some it might seem a form of persecution — regardless, lets we not forget the warning of the Christ in Matthew 10:16 where He says: