I first wrote about the dangers of phishing scams in the early 2000′s. I posted some tips on my old freelance company’s website, back in the pre-blog days. While I don’t have the original post anymore, the good news is the same tactics that I suggested then are still helpful today. And the even better news is there are a few new tools that can help you avoid falling prey to scammers.
Phishing scams are attempts by criminals to obtain personal information from you. It first started in the late 90′s when spammers needed to find legitimate e-mail addresses to use for their bulk mailings. Legitimate addresses were less likely to get caught in anti-spam filters, which were becoming commonplace at the Internet Service Provider (ISP) level.
The typical phishing scam we see today is an official (or not so official) looking message that claims to be your ISP’s support department. The message demands you respond with your username, password, and possibly other details, lest your account be deactivated. Some of these messages are easy to spot as forgeries. For example, I received the following message the other day on my UGA e-mail account:
Reply-To: <email@example.com> From: "Email Security Maintenance."<firstname.lastname@example.org> Subject: Security Maintenance.F-Secure � HTK4S
Dear Email Subscriber,
Your e-mail account needs to be improved with our new F-Secure � HTK4S anti-virus/anti-spam 2010-version.
Fill in the columns below or your account will be temporarily excluded from our services.
Please note that your password is encrypted with 1024-bit RSA keys for increased security.
Copyright 2009. All Rights Reserved.
There are several big red flags in this e-mail. The first is that the message claims to be from F-secure. While F-secure is the campus anti-virus product, I wouldn’t expect to ever see an e-mail from them as an end user. But stranger things have happened, so moving on the next thing you’ll notice is that the “reply-to” address is different than the “from” address, and is neither an F-secure nor a UGA e-mail address. That means the e-mail was designed to look like it came from someone official, but replies are automatically directed to someone not official.
Next, you’ll notice the message is addressed to “subscriber”, and is generally poorly written. With 50,000+ e-mail users at UGA, if there’s going to be a big announcement, you can expect it to be very well polished. It is higher ed, after all. Additionally, I’m not a “subscriber” of e-mail at UGA. I’m a member of the staff, faculty or student body.
The dead giveaway in this message though, is the request for the password. No ISP will ever need you to give your login password to them. Period. They can always reset it if they need to, over the phone, after verifying your identity. But ISP’s have no legitimate reason for you to divulge your password. Any e-mail that requests you send your password to someone else is 100% guaranteed to be a scam.
Some messages aren’t so obvious, though. In my first experience with phishing scams, I received an official looking e-mail from MindSpring (they were an awesome ISP from the late 90′s). They wanted some updated info on my account, and having recently changed addresses, I figured it was legitimate. I started filling out the form on their site, which looked exactly like it was supposed to. That is until I reached a question asking for my ATM PIN. A moment of shock came over me as I realized I was on the last question and had divulged a great deal of information in this form I was just about to submit to a scammer. An ATM PIN is even more important than a password, and should never ever be divulged to anyone ever. Thankfully this scammer asked just a little too much, and I was able to avoid serious headaches.
These days, I never would’ve started filling out the form. Not because I’m better at spotting scams, but because modern browsers now alert you when you’re visiting suspect sites. Microsoft’s Internet Explorer, Mozilla Firefox, and Google Chrome all have phishing detection mechanisms built in. They are programmed to pop up an alert if something seems amiss. A word of caution, though – they aren’t 100% foolproof. They’re a good tool, but if you blindly click every link in every e-mail, it’s bound to let something through.
While there are long lists of tips on how to identify phishing scams, I’ve found one sure-fire way to ensure an e-mail is legitimate: call the sender. If you receive a message that asks you to change your password, call your ISP. They can tell you whether or not it’s a legitimate request. Identity theft can take years to recover from, costing tens of thousands of dollars. A 5-minute phone call is an ounce of prevention to hundreds of pounds of cure.
But if you must follow up on an e-mail via the web, don’t ever follow links from e-mail messages. Always type in the address of the web site by hand. Links can be obfuscated to appear as though you’re going to “bankofamerica.com”, and instead redirect you to “scammershomepage.cn/stealing-your-data”. Any company big enough to handle online logins is also big enough to splash an alert across your screen if they something from you.
- Never divulge your password or ATM PIN, ever.
- Use the latest version of an internet browser with built-in phishing detection
- Never follow links in e-mails to login pages, type in URLs by hand instead
- Look for spelling and grammar errors, and anything that looks less than professional
- Check the sender and reply e-mail address
- If in doubt, call the sender