In the May 2005 installment of “Technology Talk” (See
Page 15), John Anderson wrote about some of the ways in which hackers obtain
your identity – namely, “pharming” and “phishing”.
This month, I am going to go into a little more detail about the dangers posed
by phishing in light of the serious increase in the incidents of identity theft.
According to the free, online Web encyclopedia Wikipedia
“phishing (also known as carding and spoofing) is the act of attempting
to fraudulently acquire sensitive information, such as passwords and credit
card details, by masquerading as a trustworthy person or business with a real
need for such information in a seemingly official electronic notification or
message (most often an e-mail, or an instant message). The term phishing comes
from the fact that Internet scammers are using increasingly sophisticated lures
as they ‘fish’ for users’ financial information and password
For every new
there will be
will try to
Generally you will receive an e-mail message from your bank,
your ISP, eBay, Amazon, PayPal or some other large institution with whom you
may have done business. The e-mail looks amazingly legitimate. The message
usually indicates that there is some sort of problem and that they need some
confidential information in order to fix it. Very often there will also be
a link to what appears to be a very legitimate website.
To see how difficult it is to distinguish some of these phishing
sites from real sites, MailFrontier has a quiz that you can take to see if
you can determine which sites are real and which are not (http://survey.mailfrontier.com/survey/quiztest.html).
I highly recommend that you, everyone in your office and your family take this
test; you will be stunned by how easily you can be fooled.
Phishing scams are no different in theory than the phone
scams when people called pretending to be your bank, tricking people into giving
out their bank account numbers. Most legitimate institutions will not contact
you via e-mail and ask for confidential information. If you or anyone in your
office or family gets a message like this, you can file a complaint with the
Federal Trade Commission (FTC) at www.ftc.com.
In addition, you can get information on what to do if you
have given out or think you may have given out any confidential information
by visiting the Anti-Phishing Working Group online (www.antiphishing.org/consumer_recs2.html).
In “How Not to Get Hooked by a Phishing Scam” (www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm),
the FTC offers the following recommendations on how to avoid being a victim
1. If you get an e-mail or pop-up message that asks for
personal or financial information, do not reply (and don’t click on
the link in the message, either).
2. Use anti-virus software and a firewall, and keep them
up to date.
3. Don’t e-mail personal or financial information.
If you are going to send confidential information over the Internet, make
sure it is a secure site. By this time you should all know how to determine
if a site is secure. It will have a “whole key” or lock in the
corner of the site on the status bar (as opposed to a “broken key”),
or it will have “https” in the URL (the “s” stands
4. Review credit card and bank account statements as soon
as you receive them. I now write down every purchase I make each month on
my credit card and I compare it to what is on my statement. I also save all
receipts in a separate file folder. (Just as an aside, this exercise of writing
down all my credit card purchases and keeping that information with me has
actually caused me to use my credit card less, thus saving me from buying “stuff” I
really do not need – I have actually saved money by writing it down!)
5. Be cautious about opening any attachment or downloading
any files from e-mails. If you were not expecting an attachment from someone,
contact that person to make certain that it is legitimate.
6. Forward spam that is phishing for information to email@example.com
as well as to the company, bank or organization impersonated in the phishing
e-mail. Most organizations have information on their websites about where
to report problems (this is important if you want to try to slow down some
of these criminals).
7. If you think you have been the victim of a phishing
expedition, file a complaint with the FTC. You should also consider getting
a copy of your credit report to make certain no one is opening credit cards
in your name; visit www.annualcreditreport.com to
obtain a copy of your report. Unfortunately, the free credit reports will
not be available in Maryland until September 2005, but the cost for ordering
them is very low and it is something you should consider. For more information
on identity theft, visit www.consumer.gov/idtheft/.
Although many of these scams are very slick, “A Memo
on Phishing” (www.geocities.com/phishingmemo/)
suggests some things to look for to determine if the e-mail in question is
a phishing scam:
It says it is not a scam.
It requires immediate action.
It asks for sensitive information (such as account
numbers or financial information).
It will usually direct you to a site or form to put
in this confidential information. This site will look legitimate.
The site/message will contain typographical or grammatical
The message will be impersonal (most legitimate institutions
have your information and will personalize messages to you)
For every new technology or invention, there will be people
who will try to exploit it. Criminals and scam artists have been around since
the beginning of time; only the tools have changed. Just remember everything
your mother told you: Be careful. If it doesn’t seem right, it probably
isn’t. And eat your vegetables.