Something Phishy’s Going On

Ken Colburn of Data Doctors answers Janice, who writes:

“I keep getting e-mail messages telling me that I need to update information on a bank account that isn’t mine. I tried telling them that they had made a mistake, but I keep getting the messages. How do I get them to stop sending them to me?”

What you are experiencing is something called a ‘phishing’ scam that has been on the rise. A phishing scam is generally an attempt to get an unsuspecting user to ‘confirm’ personal information such as a bank account, credit card or social security number. The phishers send out millions of e-mails in the hopes that a few will ‘bite’ (thus the reference to fishing). It has been reported that as many as 5% of recipients respond to phishing attempts. (Do the math!)

The most common companies that are ’spoofed’ in the current phishing scams include Amazon.com, Bank One, Citibank, EarthLink, eBay, Wells Fargo, and PayPal, but more will come. The most recent Wells Fargo lookalike phishing scam asks users to review recent policy changes, but requires the user to log in to their account to get to the message center. Once you have typed the username and access code, you have been had!

Any reply to the message to ask them to stop is completely futile, since the address that you are replying to is generally fake, as well. The main reason that phishing scams are on the increase is because of a vulnerability that was discovered in Microsoft’s Internet Explorer browser that allows a malicious user to send an e-mail with a link that ’spoofs’ a legitimate site. This means that a link that looks like it would take you to www.bankname.com would actually take you to www.HackerWebsite.com but Internet Explorer would report to you that you were at www.bankname.com.

The site would replicate what the actual bank’s website looked like, complete with indicators that you were on a secure website (https:// and the little yellow lock on the bottom right corner) to entice you to give up your personal information. Anything that asks you to update or confirm your social security number (when was the last time your SSN changed?) or any other personal information, especially when it comes in the form of an e-mail should instantly send off warning bells in your head.

E-mail has always been a fairly questionable source for information, but now it has become downright untrustworthy. Corporate logos, links to websites and references to government or corporate security agencies can all be ’spoofed’ in an attempt to get you to give up some piece of personal information that can be used to victimize you.

Here are some tips on how to protect yourself from phishing scams:

First and foremost, make sure that you have updated Windows and Internet Explorer with the latest security patches by going here so spoofed Web site addresses cannot be displayed in your address bar.

Whenever a link in an e-mail message is suspicious, do not click on the link; manually type the link into your browser’s address bar so you can control where you actually go. If the site does not have any reference to the information contained in the e-mail, it was likely a phishing scam.

Finally, when in doubt, call or manually e-mail the company for clarification, but never respond to the message.

If you feel you have been a victim of a phishing scam, contact your financial institution immediately to get your account access code changed.

Back in December of last year, Gnomie Michael wrote in with another way of checking to see if a URL you’re visiting is legitimate. We thought we’d recap since it’s helpful in fighting against this sticky problem.

“I use MyIE2 as my browser and (the vulnerability) is already fixed, however, there is an easy way to check a Web page’s real address. Type:

javascript:alert("The real URL of this site is: " + location.protocol
+ "//" + location.hostname + "/");

in the address bar and click enter. The browser will show the real address of the Web site! This little script is not mine; I found it on the Net, so I don’t know who the author is. Maybe you can let the readers know.”

We certainly will, Michael! To take it a little further, why not bookmark it in your browser so you can conveniently check the sites you visit at any time? In IE, simply save a random page as a Favorite (any page will do), then Organize Favorites and check the properties of the random page you just saved by right clicking and selecting (take a deep breath) Properties. Change the properties so that the javascript code listed above fills the URL field, and then rename the favorite to something memorable, like CHECK URL. Now, whenever you access that favorite, it will tell you if the page currently displayed is actually the page it’s saying it is! Not bad, eh?