You need a "phishing detector."
Al Fasoldt's reviews and commentaries, continuously available online since 1983


A phish story that can bite you

By Al Fasoldt
Copyright © 2010, Al Fasoldt
Copyright © 2010, The Post-Standard

   You've got your antivirus software, your spyware zapper, your worm catcher, your malware blocker and your break-in detector. You're as safe as you can be on the Internet.
   Not so right. You also need a detector of a different kind. You need something that can grab your hand and keep it from clicking on social engineering malware.
   That's the $20 term. The buck-fifty way of saying it? You need a "phishing detector." You need to keep your mitts off links that masquerade as legitimate Web sites in an attempt to steal your name and password.
   Phishing e-mails can even force you to give away your crown jewels -- your credit card numbers and bank account information -- by relying on the oldest trick in the malware book: They look legit, and they figure (rightly so, in many cases) that you'll always trust something that looks like the real thing.
   Phishers -- groups of organized crime hackers based mostly in former Soviet bloc countries and, increasingly, in China -- represent a huge threat to corporate computer security. By coaxing you to willingly part with your company logon name and password, phishers can then sell this valuable data (in lists of tens of thousands of names and passwords) to cyber-criminals who specialize in stealing competitive company data from within.
   Antivirus software can't do a thing to block phishing attempts, nor can the best spyware blockers or break-in detectors. Because phishing e-mails rely on your good nature -- you wouldn't do a dastardly thing like stealing private data, so you're not adept at spotting it when someone else tries it -- they are guaranteed to work as long as you are so trusting.
   Hold everything. Aren't there ways to block phishing attempts?
   Sometimes. If the links in an e-mail claim to be one thing but actually point to something else, your e-mail software, if it's new enough (hint: Stop using Outlook Express), might flag a message as a phishing attempt. Web browsers, if they're new enough (hint: stop using Internet Explorer 6 and 7), might do the same thing with phony-seeming Web addresses.
   But I have no confidence this will stop phishing attempts. There are ways to hide anything in the code used for links, and the bad guys will keep finding new approaches.
   The only effective way to combat phishing is to fight it where it lives -- right at the interface of your brain and your mouse. Retrain your instincts. Don't ever assume that your bank, your ISP, your company or your broker will ever send you an e-mail telling you to log onto your account to make changes. Listen up: This just plain never happens. Businesses don't work that way.
   If you DO get an e-mail that seems suspicious, stop thinking that it SEEMS suspicious. It IS suspicious. Trash it. Don't click any links in mail that's fishy. It's almost certainly going to be phishy.
   (For more help avoiding phishing, go to the U.S. FTC site www.onguardonline.gov/topics/phishing.aspx.)