Don’t Get “Phished” Out of CyberspaceDon’t do it. Don’t click on links in any e-mail messages you receive that ask or demand you to update your credit card, bank, Social Security or other financial information, or verify your password at eBay, PayPal or other e-commerce Web sites. If you do, in all likelihood you’ll wind up spending many tedious hours trying to recover your stolen identity.
You may have heard this all before, but many people still haven’t. Identity theft via bogus e-mail links, or “phishing,” is escalating, with criminals becoming ever more brazen and sophisticated in their online schemes to trick people into revealing their personal information.
Warn anybody you know who uses a computer about this, particularly those who may not be as tech-savvy.
If you’ve noticed an increase in these assaults lately, you’re right. The number of phishing attacks against e-mail users has been doubling every two months, according to the Anti-Phishing Working Group <www.antiphishing.org>.
People do get scammed. Phishing messages that appear to be sent by trusted companies dupe 3 percent of the people who receive them, according to a survey by Gartner Inc. Phishing cost U.S. banks and credit card companies $1.2 billion last year alone, costs that ultimately are passed on to you, the consumer.
The tricksters are learning new tricks. One of the latest scams involves “context-aware” phishing, according to Dr. Markus Jakobsson, a cybersecurity expert at Indiana University School of Informatics. The e-mail message makes it seem that it must be legitimate because of the knowledge about you or your work or personal relationships that it contains.
The e-mail might seem to come from your boss or a trusted colleague warning you of a new Internet security threat involving your specific credit card company or bank and telling you to go to its Web site to change your password. Just to be “helpful,” the sender provides you with a link in the e-mail message.
But if you click on the link, you’ll be taken to a bogus Web site that looks just like the legitimate Web site. So you won’t even think twice about typing in your login name and current password, thereby allowing the scammer to charge your credit card or empty your bank account.
With these, as well as more garden-variety phishing e-mails that appear to come from the company itself, the most commonly named companies, in order, are Citibank, eBay, U.S. Bank and PayPal, according to the Anti-Phishing Working Group. But customers of other well-known companies are being targeted too, including AOL, Lloyd’s, Wells Fargo and VISA.
Most legitimate businesses, such as these, won’t ask you to verify your financial information in an e-mail message. (The few legitimate companies that still do this should stop.)
Another new phishing scam doesn’t even require you to click on a link in an e-mail message. It takes advantage of security vulnerabilities within Windows to trigger a “script” within the e-mail message that changes how Microsoft Internet Explorer reads Web addresses. You think you’re going to your bank or credit card company’s Web site by typing in its address or using a “favorites” link, but the script insidiously takes you to the scam site.
All this might make you want to toss your computer into the nearest toxic waste dump and go back to writing letters with a quill pen. But it’s easy to protect yourself.
First, never, repeat never, click on a link in an e-mail message that purports to take you to a Web site where you store personal financial information.
If you want to update your credit card, banking or similar information on the Web, go to your Web browser. Type in the Web site’s address yourself or use a Favorites or Bookmarks link that you previously created yourself.
Second, keep your antivirus and firewall software up-to-date (assuming you are already using these protections). Norton AntiVirus, for instance, automatically disables the Windows Scripting Host, which creates the vulnerability allowing nefarious scripts within e-mail messages to do their dirty work.
Don’t forget to keep Windows up-to-date as well with Microsoft’s security patches, if you’re using Windows.
Finally, consider additional software solutions. Browsers other than Microsoft Internet Explorer are less vulnerable, as are e-mail programs other than Microsoft Outlook or Microsoft Outlook Express.
The next version of the e-mail program Eudora Pro <www.eudora.com> will include anti-phishing protections. Opaque <www.privacyinc.com> creates virtual e-mail addresses, protecting your real e-mail address.
SpoofStick <www.corestreet.com/spoofstick> makes it easier to spot a fake Web site if you’re using Microsoft Internet Explorer or Mozilla Firefox.
Reid Goldsborough is a syndicated columnist and author of the book Straight Talk About the Information Superhighway. He can be reached at [email protected] or <www.netaxs.com/~reidgold/column>.
© Copyright 2005 by DiverseEducation.com