Truth 1 Phishing scams

Identity thieves have been attacking unsuspecting computer users since the late 1990s. Often, these attacks come through bogus emails that appear to have been sent by local banks, credit unions, online auction services, credit card companies, and just about every other online service. The ultimate goal of these attacks is to gain access to your confidential information. The attacks are known as phishing, and identity thieves have become slick with them. Identity thieves continue to thwart the efforts of security companies that attempt to detect and prevent consumers from falling victim to phishing attacks.

The main issue with trying to prevent these types of attacks is that it is difficult to prove where an email originated. Anyone can send an email and use a fake email return address (called spoofing). This is no different from your writing a letter, signing it Bob Hope, and mailing it to a friend. The recipient has no way of knowing who really sent it. The same thing is true with email.

In addition to spoofing email, identify thieves can include a URL in the email that directs you to click the link to validate your account. Of course, this link goes to a phishing Web site that resides on one of the thousands of free Web hosting sites on the Internet. These sites are located all around the world and do not track information about who set up the Web pages or how to track them down. Anyone can make a Web site and, more importantly, anyone can mimic a real site. This is where many people get sucked in. You see the PayPal logo and automatically think you have arrived at the PayPal site. Instead, you’ve just been lured to a fake site, and if you enter any of your personal information, you can expect it to be a costly error.

Now, obviously if you don’t have a PayPal account, a fake email from PayPal is going to be quite obvious. But what happens when the email appears to have come from your financial institution? Do you click on the link embedded in the email and provide your confidential information?

Unfortunately, emails asking you to click a link in an email and enter confidential information aren’t always phishing schemes. In fact, sometimes they are perfectly legitimate. In the past few years, I have seen many organizations send emails that are similar to emails sent by identity thieves. Some credit card companies send legitimate email offers that require you to follow a link to a Web site and enter confidential information. It’s no wonder identity thieves are having such success when legitimate organizations are perpetuating a flawed system.

So how do you avoid becoming another phishing victim statistic? In the end, you have to use a certain amount of common sense and a large amount of paranoia.

Pay attention to the email addressee. If it does not include your complete name, you cannot trust the content of the email. Be aware, however, that emails containing your complete name can be fake, too. If there is any doubt, do not provide any information online. Call the institution and ask to speak to a customer service representative to determine if the email is legitimate.

Pay attention to the Web address included in the email. After you click on the link, pay attention to the site that appears. Often, the URL will look correct in the email, but when your browser opens the Web page, it will be at a different address. Often it will end up at an IP address such as 10.0.0.1 instead of a typical Web address, such as www.paypal.com. If your browser ends up at either an IP address or at an address that just doesn’t make sense, you should not trust the site.

Never open an attachment in an email regardless of who sent it unless you were specifically expecting it and know what it is. I have broken into more computers through the use of attachments than any other means. Just opening the attachment is enough to compromise your entire computer.

Knowing how to protect yourself is important, but businesses also need to be doing their part to bring phishing to an end. Here are a few simple steps that every business should be following.

Stop sending URLs in emails to your customers. This seems so logical, yet I continue to see marketing campaigns that include these links. Instead, simply suggest in the email that users visit your Web site and instruct them on a specific menu option they should select. This allows customers to take advantage of the offer included in the email, but it also trains them not to click links in emails.

Get the word out. Warn your customers often about the risks of phishing attacks, and let them know you will never send links in your emails. People need to know what to expect, so they can recognize when something is suspicious.

Just because your company has not been targeted by identity thieves for a phishing attack doesn’t mean it won’t be. Much like a disaster recovery plan, handling a phishing attack requires preparation. Here are some questions you need to be considering.

• How will you get the phishing site taken down? A number of companies offer services to help take down phishing sites. Work out the cost ahead of time; you’ll get a far better deal if you’re not in a rush because you’re currently under attack.

• How will you notify your customers? Obviously, you want to warn people as soon as possible so that you reduce the number of victims. Will you do this through phone calls, emails, or notices on your own Web site?

• What do you do about customers who have been compromised? Cancel their accounts? Freeze them? Are there ways to look for suspicious activity?

Use personal identifiers. Some companies must send emails that contain URLs that users need to click. In these cases, allow users to set up a personal identifier word or phrase that you can include with your email to them. This allows users to recognize the word or phrase. If the personal identifier is not contained in the email, they know the email is fake.