“For Your Immediate Attention! Don’t Lose Your Account! Update Immediately!”
Bob opened the email and was confronted by the logo of one of his major credit card companies. He had been carrying the card for some time, and had used it for a lot of online purchases.
Understandably he was concerned with the message under the logo: “Due to online identity theft, we need to verify that the information in your account is accurate, or we will be required by the FTC to suspend it”.
Below was an itemized list of the information he was required to verify: his old account number, name, address, telephone number, social security number, and mother’s maiden name. The also wanted him to change the password to his account.
Panicked, Bob hit the reply button and started filling in the information. He didn’t want to lose that account. He had set up several online accounts using that credit card number, and used it to buy and sell in online auctions…
THE “PHISHERMEN” AND THEIR HOOKS
“Phishing” is a technique used by identity thieves to stampede people into giving out their credit information online. The scam has been around for awhile, and, unlike Bob, most people are aware that they should never:
• Be intimidated by a message found in an “authentic looking” email
• Reply by giving vital information to the “phishers”
• Open up any links contained within the email, which can download “criminalware” onto their computer.
We all know these facts intellectually, but when confronted by an intimidating message, many of us react emotionally, not rationally. Maybe I’m more easily intimidated than most, but I’ve found myself opening an email and feeling compelled to fill out the information the message demands.
I have to confess an incident that occurred when I almost did that very thing. In my own defense, however, I have to say that it happened before I’d ever heard the term “phishing”. Fortunately I became suspicious before hitting the “Send” button.
But I almost did it. I almost sent it off and thereby hanged myself.
THE LAKE IS GETTING CROWDED
Although the public is becoming savvier to this scam, the “phishermen” must be experiencing success because the Anti-Phishing Working Group, http://www.antiphishing.org/ reports that phishing incidents are on the upswing.
They list 28,571 consumer reported incidents in June 2006, almost double the reported numbers in June 2005.
More suckers are being “phished” than ever before, and as every honest fisherman knows, there is no bag limit on suckers.
HOW TO IDENTIFY LEGITIMATE EMAILS
Of course, the best thing to do when asked for vital information by someone purporting to be a legitimate credit card company or other institution is to call the company on the telephone and ask if the email in question does indeed come from them. Then, if it has, go to that site to change your information.
But there are a couple of “quickie” things you can look for in the email itself, which you should do if you are alarmed by the message and tempted to jump.
1. Check the “From” Address to see if the address is correct. It should come from a top level domain, i.e. ebay.com, not a sub domain such as ebay.security.com. A sub level domain can be obtained on line for free, and is not something a legitimate company would do.
2. Make Sure the “digital signature” is valid.
KNOW YOUR DIGITAL SIGNATURE
I don’t know if you’re like me, but my eyes glaze over when somebody mentions the words “digital signature”.
Basically, it’s just an electronic means of verifying that the email you received:
• Has originated from the source it claims to come from
• Hasn’t been intercepted and repackaged on the way.
An email that is “digitally signed” has a little red icon down in the lower left hand corner in the ‘To…From” box.
Click on that icon and you can find information about the sender. Be sure your email client is “S/MIME” compliant. “S/MIME” compliancy is supported by over 350 million email clients, including Microsoft Outlook, Lotus, Novel, Netscape and MacMail.
As noted on the antiphishing site, this is unspoofable for two reasons:
• It is strongly encrypted.
• It is generated when you open the email, not at the source
The email client has validated four things on receiving this email:
1. The email address in the “From” field matches the one in the digital certificate.
2. The certificate was issued by a trusted authority.
3. The message wasn’t tampered with in transit.
4. The certificate itself has not expired.
To put it simply, the certificate makes sure the email has indeed come from who it says it has come from, and hasn’t been tampered along the way.
To see what the certificate looks like, check out:
http://www.antiphishing.org/smim-dig-sig.htm
THREE WAYS TO PROTECT YOURSELF.
There are three good ways you can protect yourself from “phishermen.”
1. Call the company they supposedly represent. Don’t respond to alarming statements demanding personal information online.
2. Don’t open any links in the email. They can download “criminal ware” that can start gathering vital information off your computer.
3. Don’t open suspicious emails unless you have an “S/MIME” compliant email client and can view and open that digital icon.
LOOKING FOR SUCKERS
The phishermen are out there and still looking for suckers. Based on the rise in reported incidents they are still finding them. Armed with a little knowledge and a healthy awareness, you won’t end up in their “game bag”.
You definitely don’t want that…because the next stop is the frying pan.
Copyright 2006 John Young
