HOME
TOPICS
ABOUT ME
MAIL

 
Never click on a link in an e-mail message unless you asked someone to send it to you.
 technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

T e c h n o f i l e
How to guard against 'phishing' scams on the Internet


April 24, 2005


By Al Fasoldt
Copyright © 2005, Al Fasoldt
Copyright © 2005, The Post-Standard

   Credit-card thieves are phishing for your personal financial records. If you're not careful, you could be the next victim of one of the fastest spreading frauds in Internet history.
   "Phishing" gets its name from the way criminals dangle bait -- often in the form of feigned warnings that your account information has been compromised -- to try to lure you onto fraudulent Web sites that look like legitimate sites. Once you're on these look-alike sites, phishers try to get you to enter personal data such as your passwords or credit card numbers.
   Phishing attacks usually start with an e-mail message that says AOL, eBay, PayPal or some other widely used service has found an error with the user's account. A link in the e-mail message seems to direct the user's Web browser to a Web site with a convincing name, but the actual address might be different.
   No one knows for sure how many victims have been snared so far in the year or two since phishing began, but cautious estimates put the number of phishing attempts in the billions. It's a huge problem.
   Brightmail, a company that tracks spam and scam e-mail, says it logged 2.3 billion phishing messages worldwide in one month alone this year. As much as 5 percent of all e-mail is now believed to be phishing attempts, a 500 percent increase over the last six months, according to Brightmail's records.
   "Identity theft is the single greatest type of consumer fraud," said Christopher Wray, an assistant attorney general at the Justice Department. "Phishing," he added, "is the identity theft du jour."
   Phishing attempts sometimes succeed because most of us try to do the right thing. When we're told that something needs our attention, we're usually tempted to fix the problem right away.
   Adding to the difficulty of spotting this kind of fraud is the way hyperlink code works on Web pages and in e-mail messages. A hyperlink can point to one location while actually leading to another address, totally different from the one that shows on the screen. The code that does this is extremely simple; phishers can write it into their e-mail messages without the need for special training.
   But even that kind of subterfuge turns out to be unnecessary when phishers use a more brazen tactic. They sometimes create fraudulent Web sites with addresses slightly different from the addresses of real sites and hope no one will spot the differences.
   For example, phishers might create a site with the address "www.aol.help.com" and make it look like the real site at www.help.aol.com. Once you're on the fake site, you're asked to type your logon name and password along with a credit card number.
   Usually, the credit card number is then sold, sometimes through gangs associated with organized crime, and the logon information is used to hijack your account so that it can be used to forward spam, spyware and zombieware. (Zombieware creates a "zombie" home PC that turns itself into a relay for spam, viruses and spyware during pre-dawn hours when everyone at home is likely to be asleep.)
   Protecting yourself against phishing isn't hard, but you might need to change your habits -- and the habits of everyone else in the family who uses your home computer. Many of us habitually click on links that arrive in e-mail before thinking about what they represent. That's that habit you and all others in your household have to get rid of.
   This might not be clear enough. Let me put it this way:
   Never click on a link in an e-mail message unless you asked someone to send it to you. By "never," I mean "not ever, not even in your wildest dreams, not even if you are sure that PayPal or Citibank have sent you a special e-mail warning you of impending financial doom." (They never do that, in case you're wondering.)
   By never clicking on a link you didn't ask for, you are almost guaranteed to be safe from all phishing expeditions. After all, you're not likely to ask a scammer to send you a fraudulent link.
   Experts on scams often emphasize another measure you can take. They point out that you can use a safer Web browser, making it less likely that you'll fall for fake links. This is certainly helpful, but it can't replace your own diligence. Make that your first priority.
   Microsoft's Internet Explorer will be toughened in the next year or so to help users spot phishing attempts, but many Internet Explorer users (a few million, at last count) have switched to a free alternative browser called Firefox. To locate a download site, type FIREFOX DOWNLOAD into an Internet search form.
   Up-to-date virus protection can be a big help for Windows users. Successful phishing attacks leave telltale signs that antivirus software should be able to spot. Windows users have many antivirus programs to choose from; my recommendation is the free AVG antivirus software from http://free.grisoft.com.
   Macs don't need virus protection, but they're just as vulnerable to phishing attempts. Mac users should update their Web browsers whenever possible.