Phishing
Even if you don’t frequent job, dating, social networking, or online classified sites, scammers can still take advantage of you. The only difference is that they have a bit more difficulty finding you beforehand. And that’s why they stick their bait in the water and hope for a few nibbles. It’s called “phishing.”
As we go to press, phishing is once again in the headlines, big time. Seems that Mac users, who for so long generally felt unfazed and untouched by the malicious evils of the virtual world, are just coming to grips with the fact their Apples aren’t immune. Though writers of viruses and the like do tend to focus on the dominant yet comparatively vulnerable world of PCs, phishing attacks circumnavigate many barricades, Mac-based or not. And, according to tech mega-firms such as IBM, Microsoft, and McAfee, they’re currently propagating in both environments. One report says phishing was up 200% in the second quarter of 2009, another says phishing has quadrupled, fueled by attacks delivered via social networking sties.
So, how does this phishing thing work? From the perspective of the victim, it’s rather simple. They’ll receive an unsolicited, unprovoked email (or instant message or some other form of online communication) that’s designed to look important enough not to ignore. It may appear to have come from a bank or credit card company or perhaps from a recognized online service such as PayPal, eBay, or Amazon. The point is that it looks official, usually complete with logos, graphics, and other corporate identifiers, and it will seem to have emanated from a business that commonly deals with financial transactions.
At this point, the “phisher” knows he’ll already have lost the vast majority of his intended audience. Some won’t ever see the message because their spam filter managed to catch it beforehand. Many will recognize it as a phishing attempt by closely scrutinizing it for inconsistencies or grammatical and procedural flaws. Others will write it off as bogus simply because they’ve had no dealings with the named institution.
But that’s the way this con is played. The perpetrator is quite comfy knowing only a tiny percentage will react, because the few that do will make the entire exercise worthwhile. They’ll read about a problem with their credit card or account that requires immediate action. They’ll click on a link that opens a credible looking yet entirely fake website wherein they’re asked to submit one or more personal bits of information. And then it’s game on in criminal land.
But there’s a lot more to this con than a fake email and fake website. Long before the victim receives the phish, the perpetrator is hard at work sourcing email address lists and assembling material and information to help him appear more legitimate. And of course, the fur really flies once he’s obtained personal information. What he does with it is really up to the individual, but he knows his time is extremely limited before the victim in question alerts authorities. Yet as anyone who’s ever been duped by fraud can attest, a tremendous amount of damage can be done in a very short time period.
And in case you think spam filters are a foolproof solution to an experienced phishing scheme, think again. Fact is that, just like upper echelon spammers, top level phishers use a variety of techniques to get into your inbox. Many of them involve word manipulation – adding just the right combination of “good” words, purposeful misspellings, and the like – to bypass filtering. And to exponentially increase the volume of phishing attacks and decrease the load on their own computers, phishing perps don’t stop merely when they get you to give up your personal information. They’ll also hack the computers of their victims so they too become a working part of the scheme – a scheme that could number in the millions of computers. Yikes.
How to avoid:
• It bears repeating: Never respond to emails requesting financial information of any sort, avoid those that do not address you by name, and refer to our advice from earlier in this story.
• Anyone who connects to the Internet yet doesn’t own security software is playing a very high-risk game. But these days, simple anti-virus just isn’t enough. Make sure your security package deals with all the most common areas of security breaches, including phishing. Today’s most highly regarded complete security packages include the top-rated Norton Internet Security (www.symantec.com), BitDefender Internet Security (www.bitdefender.com), Kaspersky Internet Security (www.kaspersky.com) and, for those on a budget, Panda Internet Security (www.pandasecurity.com).
• Head to the Anti-Phishing Working Group (APWG) at (http://www.antiphishing.org) for tons more information, additional resources, and advice.
