|
Don’t
shake your head at the title like that. I haven’t forgotten how to spell nor
is my spell checker having a bad day. And I am certainly not suggesting that I
am now a world class chef.
The
“phish” is not the water-living animal nor is it the rock band “Phish.”
The phish is you, and odds are you have been the target of at least one
“phishing” attempt. (The word “phishing” was coined by taking fishing
and applying hacker-style spelling, e.g. “phreaking”). If you were
caught, odds are you were fried.
Phishing
refers to a specific sort of attack where criminals send out spam with forged
headers (spoofed e-mails) to draw gullible people to fake Web sites where they
enter sensitive information such as account numbers, user IDs and passwords.
These data are then used for direct financial fraud or wider identity theft.
By
hijacking the trusted brands of well-known banks, online retailers, and credit
card companies, phishers are able to convince up to 5% of recipients to respond
to them. Phishing is on the rise with the number of unique phish attacks
doubling over the past summer.
Anatomy
of a Phishing Spam
Let’s
take a look at a typical phishing message that came to my Yahoo account.
This one isn’t as elegant as some others I received and deleted, so bear with
me.
Let’s
take apart this message and see why it’s bogus:
Dear
Citibank Member,
[Warning
Sign #1 - This is a completely generic greeting. A company like Citibank
would address me by name. And on top of it I don’t have an account. This
doesn’t bother the criminals of course—they know non-account holders will
simply delete the e-mail and it costs them nothing.]
This
email was sent by the Citibank server to verify your email address.
[Flag
#2 - Incorrect spelling and usage of email. While most of us may be sloppy
in how we use it in our day to day e-mails, you rest assured that a mass mailing
from a multinational bank would have spelled it as e-mail—the correct usage.]
[Flag
#3 - why would Citibank tell me the message was sent by its server and not its
customer care department or security. Very strange.]
You
must complete this process by clicking on the link below and entering in the
small window your Citibank ATM-Debit Card number and PIN that you use on ATM.
[Multiple
Flags - Syntax errors. Entering what in the small window. Logic flaws.
How does this help verify my e-mail address? (Which is obviously working or the
mail would have bounced). Grammar error. ‘You use on ATM’ is improper
English. You should always look for peculiar wording and bad spelling and
grammar. Admittedly authentic messages may have these sorts of problem,
but it’s rarer than in spam - especially spam written by non-native speakers
of English. Truth is, a large portion of phishing spam is international in
origin].
This
is done for your protection - because some of our members no longer have access
to their email address and we must verify it.
To
verify your email address and access your bank account, click on the link below:
[More
Flags. Obviously this makes no sense. If members no longer have
access to their e-mail and if this was sent to that same e-mail how can they be
verifying it? Why would you want to access your bank account to verify your
e-mail account?]
http://www.ýcþiýtibank.cþom
/?vsgdDmUKkuXHwiUFUPsre2g55l46v0k11YKYWqrZ6lpeFuf3SaDU6u9wq
[Big
Warning Flag: I right-clicked the link and selected properties (NEVER click on a
URL from a strange or suspicious source without knowing exactly what it is - and
its appearance is no guarantee of where it takes you.]
Here
is the actual URL of where the fake link went to:
http://www.google.com/url?q=http://www.google.com/url?q=http://
www.google.com/url?q=%%348Tt%%350%%33a/%2Fbvkiy39fe.com*
20836%%32E%%364A.%%352%%355%2f%%33F9v37c2av7z48 2kqVw7EM2Hew3k2v3k
As
I suspected, the URL in the visible version of the message was just camouflage.
Google is a legitimate website, but the phishing spam was exploiting a since
closed flaw in Google’s security and sending me to a bogus site far, far away.
In either event it clearly isn’t a Citibank site and if I had followed the
instructions I would have gotten burned and likely lost a lot of money, if not
been involved in a more extreme case of identity threat.
If
you’d like to test your phishing spam detection skills, I encourage you to
visit Mail Frontier’s Phishing IQ Test at http://survey.mailfrontier.com/survey/quiztest.html.
It only takes a few minutes and will give you an idea of how well-developed your
detection skills are.
Avoid
Getting Hooked
So
that’s the anatomy of a piece of phishing spam. I find them personally
irritating because a great deal of industry effort has gone in to making on-line
banking, shopping and financial transactions secure. Phishing spam, in addition
to being fraudulent, undermines confidence in this, thus reducing the
effectiveness of this benefit.
To
avoid getting hooked, filleted and burned, we have to go back to the basics. As
I’ve said in previous articles on computer security, the first line of defense
is you. [People
- The Key to Anti-Virus Defenses]. While following the below
recommendations won’t guarantee safety, they will certainly prevent you from
joining the elite 5% of those who have fallen for the scam.
-
Be suspicious of any
e-mail with urgent requests for personal financial
information. Phishers love to try and scare you to react without thinking.
-
Don’t use the links in an
e-mail to get to any web page, if you suspect the
message might not be authentic, call the company on the telephone, or log onto
the website directly by typing in the Web address in your browser (the links
might be bogus, which is why you should not cut and paste either).
-
Never fill out forms in
e-mail messages that ask for personal financial
information.
-
Phishing undermines people’s confidence in online banking, shopping and financial transactions.
|
|
You should only communicate numbers such as credit card numbers or account
information by telephone or through a secure website. (To make sure
you’re on a secure Web server, check the beginning of the Web address in your
browser’s address bar - it should be “https://” rather than just http://.
-
Consider installing a Web browser tool bar to help protect you from known
phishing fraud websites. EarthLink ScamBlocker is part of a free browser
toolbar that alerts you before you visit a page that’s on Earthlink’s list
of known fraudulent phisher Web sites. It’s free to all Internet users.
Download at: http://www.earthlink.net/earthlinktoolbar
-
Regularly log into your online accounts; don’t leave them for as long as a
month without checking each.
-
Regularly check your bank, credit and debit card statements to ensure that all
transactions are legitimate. If anything is suspicious, contact your bank and
all card issuers.
-
Ensure that your browser is up-to-date and that security patches are applied in
particular. People who use the Microsoft Internet Explorer browser should
immediately go to the Microsoft Security home page—http://www.microsoft.com/security/
-- to download a special patch relating to certain phishing schemes.
-
Use anti-virus software and keep it up to date. Some phishing emails contain
software that can harm your computer or track your activities on the Internet
without your knowledge. Others install programs called “key loggers” on your
computer. These programs capture and send out any information that you type to
the phisher, including credit card numbers, usernames and passwords, Social
Security Numbers, etc.
-
Install a firewall (see Firewalls
and You). It’s especially important to run a firewall if you have a
broadband connection.
Following
this advice won’t guarantee you safety. But to be a safe consumer you have to
take a proactive role in your own defense and think smart.
Hooked
and Regretting It
What
if you’ve already been hooked? Or realize that you might have been
hooked? If you have been tricked, don’t try to imagine it will go away.
Assume you will become a victim of credit card fraud, bank fraud, or identity
theft. The following steps should help get you through the worst of it.
(Note that some procedures will differ from country to country. Make sure you
understand your local laws):
If
you have given out your credit, debit or ATM card information:
-
Report the theft of this information to the card issuer as quickly as possible.
-
Many companies have toll-free numbers and 24-hour service to deal with such
emergencies.
-
Cancel your account and open a new one.
-
Review your billing statements carefully after the loss.
If they show any
unauthorized charges, it’s best to send a letter to the card issuer describing
each questionable charge.
If
you have given out your bank account information:
If
you have given out your eBay account:
-
Contact eBay. They have a link for Hijacked Accounts.
-
If someone is currently listing auctions on your account, you may also use the
hotline options: Member Problems... Law Enforcement... Please Investigate a
Current Listing for Possible Fraudulent Activity.
-
Attempt to sign in and change your password.
-
If you are able to, you should sign in, change your password and hint
immediately, and begin to undo any damage done by the hackers such as remove any
bogus auctions, contact bidders and sellers, etc.
-
If you were unable to regain control of your own account, eBay will likely
suspend it for a while until they complete their investigation.
If
you have given out your personal identification information:
Identity
theft occurs when someone uses your personal information such as your name,
Social Security number, credit card number or other identifying information,
without your permission to commit fraud or other crimes. If you have given out
this kind of information to a phisher, you should do the following:
-
Report the theft to the three major credit reporting agencies, Experian, Equifax
and TransUnion Corporation, and do the following:
-
Request that they place a fraud alert and a victim’s statement in your file.
-
Request a FREE copy of your credit report to check whether any accounts were
opened without your consent.
-
Request that the agencies remove inquiries and/or fraudulent accounts stemming
from the theft.
-
Notify your bank(s) and ask them to flag your account and contact you regarding
any unusual activity.
-
If bank accounts were set up without your consent, close them.
-
If your ATM card was stolen, get a new card, account number, and PIN.
-
Contact your local police department to file a criminal report.
-
Notify the Department of Motor Vehicles of your identity theft. You may need to
contact other government agencies as well.
-
Check to see whether an unauthorized license number has been issued in your
name.
-
Notify the passport office to be on the watch for anyone ordering a passport in
your name.
-
Document
the names and phone numbers of everyone you speak to regarding the incident.
Follow-up your phone calls with letters. Keep copies of all correspondence.
*
David W. Tschanz is a Microsoft certified systems engineer, web developer
and writer of computer-related articles. He is also a medical/military
historian, an epidemiologist, an editor and a demographer. You may contact him
by sending your emails to: Desertwriter1121@yahoo.com.
|
