Heal Your Church WebSite


Teaching, rebuking, correcting & training in righteous web design.

Just got burned by an Internet scam

It’s called a phishing scheme, and it can happen to the best of us. Consider the recent account of a boardgame geek named Nimrods:

… it gave me a list of alleged security breaches and asked me to follow a link to EBay where I would reconfirm my account details. I actually got as far as entering my credit card number and security code before I noticed the lack of a padlock at the bottom of the browser…

Fortunately for Nim’, he immediately ran down the owner of the URL and canceled his credit card. Still, it is irritating in the least, and potentially financially catostrophic at the most. Imagine the poor church secretary who gets an email from what looks like a eBay, or Amazon, Citi Bank, Verizon or some other entity their church uses that says, click here or your credit will be ruined forever.

The email has the company’s brand or logo. It has an email address that contains the company’s brand name. It sound like it was written by someone who knows something about your account. Why wouldn’t an honest, hard working person get taken? And that my friend is exactly what these ‘phishers of men’ are hoping for.

What to do? Well here is exactly what the FTC, the nation’s consumer protection agency, suggests you do to help you avoid getting hooked by a phishing scam:

  • If you get an email or pop-up message that asks for personal or financial information, do not reply or click on the link in the message. Legitimate companies don’t ask for this information via email …
  • Don’t email personal or financial information. Email is not a secure method of transmitting personal information … no indicator is foolproof; some phishers have forged security icons (e.g. padlocks).
  • Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
  • Use anti-virus (and personal firewall) software and keep it up to date
  • Be cautious about opening any attachment or downloading any files from emails you receive, regardless of who sent them.
  • Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov. If you believe you’ve been scammed, file your complaint at www.ftc.gov, and then visit the FTC’s Identity Theft Web site at www.consumer.gov/idtheft to learn how to minimize your risk of damage from ID theft. Visit www.ftc.gov/spam to learn other ways to avoid email scams and deal with deceptive spam.

There have been times I have complained about my tax dollars at work, this is not one of them — the people at the FTC are correct. About the only thing I might add is to learn how domain names work, specifically subdomains – because most of the phishing schemes I’ve seen employ some sort an email address that includes some nefarious combination of a brand name for the subdomain such as ‘Amazon’, coupled with a slightly mangled $6.95 domain name such as ‘accountsrecievable.info’ to give you customerservice@amazon.accountsrecievable.info.

This coupled with the company’s logo and whammo, while they may not get everyone, they’ll get enough. Which is it wouldn’t hurt to familiarize yourself with some of the basics with the Secure Sockets Layer, or in plain English, Nimrod noticed the lack of a padlock to the bottom left of his browser. SSL, as it it is otherwise known, is the protocol that reputable companies, such as Amazon, eBay and the like use when they take your credit card information.

Like all methods of security, you need to understand that no one single method is fullproof – you must layer multiple methods. For example, recently Secunia reported an Internet Explorer exploit that allowed the phisher to fake the padlock – while other schemers just go ahead and employ a cheap SSL certificate.

In my house, we have standing orders – no financial information is disclosed to unsolicited emails and phone calls, period. I’ve upset one bank by demanding a phone number that I could call back the following day – the assistant manager got upset that I was so suspicious – the regional manager of the bank was not so upset when I explained my demands. Likewise, when my wife got hit w/a Verizon phishing scheme via email, she called Verizon using not a phone number in the email, but the support number on our bill – whatta great geek girl I’m blessed with! Especially because the phisher had generated email addresses that broadcasted to a range of verizon customers (e.g. vgz123@gtc.verizon.com).

Scared spitless? Best way to conquer fear is knowlege – and practice. Here are some links to get you started:

I realize this is somewhat out of context — though to some it might seem a form of persecution — regardless, lets we not forget the warning of the Christ in Matthew 10:16 where He says:

“Behold, I am sending you out as sheep in the midst of wolves, so be wise as serpents and innocent as doves…”

8 Comments

  1. Thanks Dean for all these helpful insights!

    We’re sending some of our IndyChristian.com surfers your way today.

    YBIC,
    Neil
    LovingChange.com

  2. Sad thingis companies do ask for this stuff via email. See my issue with MasterCard

    http://ideajoy.blogspot.com/2004/12/presidents-choice-financial-sets-its.html

    - Peace
    Dave

  3. I’d also recommend forwarding any fraudulent emails to both the company that is being impersonated and spam@uce.gov .

  4. I almost got caught by this same eBay thing! I clicked the link and as it was loading, I thought, “Why did I get two emails?” I looked back at the email and thought, “How did eBay get those addresses?” Then it hit me. I couldn’t believe how close I had been to falling for it.

    Keep on guard, people!

  5. Pingback: GodsArmor.com

  6. Good posting Dean and lots of useful advice there.

    What annoys me most is that I know all this stuff – I’m a computer professional after all, and I’ve often pointed out email scams to friends and colleagues. I suppose the phishers were lucky and caught me at the end of a busy day when I was feeling tired and distracted. I was going through my admin and just trying to get stuff cleared, so I was running on autopilot.

    One good thing came of it though – plenty of new hits for “nimrods” from your posting!

  7. Pingback: GodsArmor.com