One day, a few minutes after making a purchase on eBay
, I got e-mail thanking me for winning the auction and asking me to update my credit card info. I had just gotten a new card from my bank, and I realized that I hadn't updated it. It was very late in the evening. I clicked a link and got to a page that asked me for my eBay username and password as well as my address and some other info. Before I started to fill it in, I realized that eBay should already have all that info and I shouldn't have to enter it until after I logged in.
Have you ever been hooked? Been told some tall tales in e-mail? Tell us your phishing stories.
I quickly navigated away from the page and typed in the eBay address by hand. I logged in and found out that there was absolutely no trouble. I did need to update my card info, but it wasn't yet noted. I had almost fallen for a phishing scam. In fact, just clicking the link could have had worse consequences than it did. In light of that, here are a few of the biggest things to be aware of so that you don't fall for phishing scams.
Stay alert and be cautious with e-mail and on Web sites
Most successful scams rely on you, not on technology. While some technical vulnerabilities out there can help phishers along, no scam can work without your cooperation. This is a con game, not an example of masterful technical skills. If they can con you into thinking you're doing something legit, then the scam will work.
Don't get scared by the content of e-mail
If they really want to foreclose on you or close your account, you'll get a paper letter by snail mail. Be suspicious of any e-mail that contains urgent requests for personal financial information. Read it over several times. Think about it. Does this institution even have this e-mail address? Does it usually contact you by e-mail? Phishers try to get you excited or upset so that you won't think things through.
Don't give out information they should have
Phishers will ask for sensitive information that the real company would already have, such as usernames, passwords, credit card numbers, and so on. Phisher e-mail is generally not personalized, or if it is, contains only the same name you use in your e-mail address. Your real financial institution will most likely have your real name.
Never fill out forms in e-mail that ask for personal information. Give sensitive info only over a secure Web site or by telephone.
Never use links in e-mail to get to any page on the Web
Call the company directly, use a bookmark, or type the address manually into the address bar if, after careful consideration, you think the e-mail might possibly be legit. Phisher e-mail can make a link look like it's legit but still take you to a false Web site. Our security expert, Robert Vamosi, recommends right-clicking and going to View Source for HTML e-mail--usually you can see some weird URL stuff. That Web site can also look exactly like the real thing, so look for awkward English or bad grammar as a tip-off. They can just steal the HTML code and images from your bank.
Phishers can make e-mail links do any of the following nasty tricks:
Take you to the legit site but sneak in a pop-up window from a phisher's site that asks for personal info.
Take you to a fake site that has a very similar URL to the real site. Cover up the address window in your browser with an image that makes it look as if you're at the real site. If you can't click into the window, it's fake.
Make the link download a key-logger program that will record and report back every keystroke you make, including passwords and credit card numbers. You'll think nothing happened or that the link was broken.
Make sure the Web site you're on is truly secure
Usually, you can tell if you're on a secure server if the URL begins with https:
instead of http:
and if you see the security symbol locked in your browser. But phishers can get legitimate-looking certificates and fool people, as happened recently
to a credit union in Utah. If you get a warning about a site's security certificate, read it. If the certificate isn't valid, don't go there. Don't rely entirely on the fact that a URL begins with https:
EarthLink provides a free Web browser toolbar
that helps protect you from phishing-related Web sites.
Check your hosts file
This is technically something called pharming
, but for simplicity, we'll include it here. Opening attachments or clicking links can launch small programs that modify the hosts file. The hosts file is located in the directory Windows\System32\Drivers\etc. You can tell Windows to open the file with Notepad or WordPad. After the comments and examples, you'll see a line like this:
Unless you work in a corporate environment, you'll most likely not see anything else. No matter what environment you work on, you shouldn't see things such as PayPal or your bank's Web address there. Updated antivirus programs should protect you from programs that would modify the hosts file. You can also make it read-only by right-clicking the file, selecting Properties, and checking Read-Only.
Check your accounts regularly
Don't go more than a month without logging in to an online account to check activity. Pay attention if the account tells you when the last time you logged in was. Does it jibe with when you really did last log in? The more you check, the better. Check your statements from financial institutions, too. If you ever see suspicious activity, contact your bank and card issuers immediately. Clear your browser's cache
or personal information after each bank session; cached pages can be used to reconstruct online sessions.
Keep your software secure
Keep your browsers and operating system up-to-date with the latest security patches. Windows XP can automatically patch your system, if you set it. If you use Internet Explorer, you should download this patch
immediately if you haven't already. Use antivirus and antispyware apps and firewalls and keep them current.
The antiphishing working group
recommends reporting phishing scams here:
Forward the e-mail to email@example.com.
Forward the e-mail to the Federal Trade Commission at firstname.lastname@example.org. Forward the e-mail to the abused e-mail address of the company that is being spoofed (such as email@example.com). When forwarding spoofed messages, always include the entire original e-mail with its original header information intact.
Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on its Web site: www.ifccfbi.gov/.
Ever wondered how technology and the Web really work? CNET's Tom Merritt
gives you the Real Deal on deals, steals, tips, and tricks.