Tips by Tony

Online scams, known as “Phishing”, are a growing threat that could cost you money or worse – your identity. According to the Federal Trade Commission, information theft is the fasted growing crime in the United States. Here are some tips to help you stay safe online.

What is Phishing?

Mozilla defines phishing as follows:

Phishing is a form of identity theft that occurs when a malicious Web site impersonates a legitimate one in order to trick you into giving up sensitive information such as passwords, account details, social security number, or credit card numbers. Phishing attacks usually come from email messages that attempt to lure the recipient into updating their personal information on fake, but very real looking, Web sites. Phishing scams most often appear to come from companies such as banks, credit card companies, online payment services such as PayPal, or other popular sites such as eBay, Facebook, or MySpace.

Here’s an example of a phishing scam email:

Example of a fake PayPal email

Anatomy of a Phishing Email

According to NoPhishing.org, here are the typical steps involved in launching a
phishing attack via email:

• An email arrives in your inbox.
• The email pretends to be from a legitimate organization, business or government agency.
• The email will have a persuasive message designed to entice the recipient to respond.
• The email will convey a sense of urgency.
• The email will have a reassurance of security.
• The email will have a link to a website, pop‐up or web‐based form.
• Clicking on the link will lead to a bogus website where the Phishers are waiting to steal your information. You may be prompted to provide private information such as login credentials and/or account information, PIN, credit card information, etc. If you share this information, you are now officially a victim.

What to Look For in a Potentially Bogus Email

Although Phishers have become quite sophisticated, there are still some telltale
signs common in most Phishing emails:

• The email contains one or more spelling mistakes.
• The email address in the From: line isn’t a real address.
• The link to “verify” your account doesn’t point to the real website. (For example, in the PayPal email above, instead of going to www.paypal.com, it goes to an IP address. Sometimes the scammers will register a similar address, such as www.d.paypal.com, or www.paypal.com.fraud.com, etc., to make it appear legitimate.
• Many phishing emails will warn the user not to fall for phishing scams. (Ironic, isn’t it?)
• Many phishing emails will contain a few real links, such as links to the real company’s actual privacy policy, etc.
• Most phishing emails won’t use your actual name. They’ll refer to you as “valued customer” or something similar…or not include a greeting at all.
• Most phishing emails will try to instill a sense of urgency. For example, tell you that you must log in or something bad will happen…perhaps your account has been compromised, or will be deleted, etc.

Phishing Websites

If a phishing email is successful in getting you to click a link, you’ll be taken to a bogus website made to look as much like the real website as possible. It’s here where they’ll ask you to log in and/or enter information to “verify” your identity. Once you enter that information, their scam is complete. They now have (at least) your login information, and possibly much more such as your social security number, ATM PIN number, etc.

A fake/spoofed PayPal website

The example above is made to look just like the real PayPal website. If you enter your account information, the scammers will now be able to log in to your PayPal account, where they can transfer funds, get banking information, etc.

What if you suspect a bogus website?

Most modern browsers such as Firefox, Safari, Google Chrome, and even the latest version of Internet Explorer have built‐in Phishing Protection, but sometimes very new fake sites will slip through the cracks. If you think you may have stumbled upon a fake site, try logging in with a FAKE PASSWORD. If the site appears to “log” you in after you’ve entered a fake password, then you KNOW it’s fake.

Firefox's Phishing Protection in action

You can test this yourself by pointing your browser at the following address: http://www.mozilla.com/firefox/its‐a‐trap.html

If you’re brave, you can try out the Phishing protection on some real websites. You can find a list of recently submitted phishing sites here: http://www.phishtank.com/

Additional help and information

Lifehacker.com has an excellent article with additional tips to help keep you safe, including such gems as “Ignore Web Site Popups Saying You Have a Virus”.

If you’re still unclear about Phishing, you can watch the short video here: http://www.commoncraft.com/phishing

Bottom Line

Related posts:

1. Archiving Old Emails in Apple Mail
2. Podcast from your iPhone with AudioBoo
3. How to Find Copyright Friendly Images on the Internet