34

PROTECTING YOURSELF FROM FRAUD AND SPAM

Some years ago, before the Internet was commonly available to home users, America Online (AOL) was an innovative service accessed by dial-up modems. It was appealing but not cheap. Some people figured out that obtaining free access was as simple as using a program to generate a fake credit card number and using that to open an AOL account. It took AOL a few weeks to figure out that the credit card number was no good, after which another fake number got the ball rolling again.

AOL eventually put a stop to this, so, naturally, even more reprehensible practices ensued. A program called AOHell emerged. It could send a barrage of instant messages to subscribers, posing as an AOL representative, luring them into providing personal account information. Voilà, free credit card numbers. The program’s creator referred to this practice as phishing, a play on the earlier term phone phreaking, in which people tricked the telephone system into connecting free long-distance calls.

AOHell has been retired, but the basic concept is still used by thieves around the world: the use of diffuse targets (a broad swath of victims), social engineering (a plausible story), and technology to gather the information volunteered. This is the essence of phishing.

By all accounts, phishing is prevalent and highly successful. Studies done on human susceptibility to specific, concocted phishing scams have varied greatly in results, with anywhere from 3 to 70 percent of the message recipients being susceptible. But even if just one person in a hundred falls prey, with the number of people online today, the number of potential victims is astounding.

Your personal and financial information—You’ll give it to them, and they’ll use it to go on a spending spree or sell it to other criminals.

Your money—You’ll send them money and get nothing in return.

Your computer—You’ll follow a link to a bogus website or even a legitimate website that’s been hacked. Your computer will get infected with a virus just by viewing the web page, in what’s called a drive-by attack. The criminals will record your keystrokes to get your password and banking information, or they’ll use your computer to commit any number of online crimes: sending spam, collecting information stolen by phishing, launching denial-of-service attacks, breaking codes and passwords, committing “click fraud”.... The list goes on and on.

It’s pretty ugly stuff. The following sections detail a few of the techniques criminals use to lure you in.

Your account was suspended due to suspicious activity. You need to respond immediately to restore your account.

A sum of money was posted to your account; can you confirm it?

An expensive online purchase you made is on its way to you.

Someone tried to change the password on your account. Click the link if it wasn’t you. (This is a clever one. It seems as though it might be safe to confirm that you didn’t do anything.)

You receive instructions to log on to a website to confirm or deny the activity. It’s a phony website, decked out to look just like the real one, and you’ll be asked to provide personal information to log on. Of course, this scam works only if you actually have an account with the purported sender. They don’t know if you do or not. But that doesn’t matter. They send hundreds of millions of these emails, so they’ll hit plenty of actual customers just due to the numbers.

There really is no end to the inventive means that criminals come up with to part you from your money. Most seem laughably obvious—the bad grammar and spelling, the incorrect information, the implausible scenario.... However, I promise you that one day, one will slip by your internal BS detector. It has happened to me, and it will happen to you. You won’t even think about it. You’ll just click and....

You can just hope that before you type in your banking password or your credit card number, you’ll have a second thought and want to find out if the thing is real or not. That can take a bit of investigation, as we discuss in the next section.

Figure 34.1 shows an example of a rather sad attempt I found in my inbox.

On the surface, it appears that I’ll lose access to my bank account if I don’t sign in soon to confirm my password and banking information. I don’t think so! The writing in this particular email isn’t as bad as most, but the “From” line mentions a different bank entirely and has a very strange email address!

So, this one is pretty clearly a fake, but some phishing letters are actually pretty good. Let’s see what other clues there might be to tell us this letter isn’t legitimate.

The main clue that this email is not the real deal lies in the web link. The linked phrase Update Account Here seems innocuous, and in most phishing emails the links do look absolutely legitimate. It doesn’t matter either way; the displayed text is not the actual “active” address inside the link. It doesn’t matter what any blue underlined text says, because the text you see is just an arbitrary description of the underlying actual URL. Before you click a link in any email that seems even the least bit suspicious, look to see where any link it contains would take you.

Here’s how to check if you’re using Microsoft Edge (the default, Modern-style browser supplied with Windows 10):

1. Hover the mouse over the link, and then look toward the lower-left part of the browser window. A URL should be displayed in a small pop-up box. If the URL looks bogus, it is bogus. Stop! But this text can be easily forged. If the URL looks reasonable, don’t trust it yet. Instead, proceed to step 2.

2. Right-click the link and select Copy Link. Then, in the taskbar’s search box, type notepad. From the search results, select Notepad. Type Ctrl+V, or, on the menu, select Edit, Paste. Now look at the link.

If you are using Internet Explorer, follow these steps instead:

1. Hover the mouse over the link, and then look in the status bar in the lower-left part of the browser. A URL should be displayed there. If the URL looks bogus, it is bogus. Stop! But this text can be easily forged. If the URL looks reasonable, don’t trust it yet. Instead, proceed to step 2.

2. Right-click the link and select Properties. If the link is too long to fit in two lines, you might not see it entirely, but if you click and drag over the link, it will scroll to display the entire link. Alternatively, follow step 2 in the preceding procedure for Edge, and examine the link in Notepad.

If the URL display says something like onclick(); rather than a recognizable URL, the link’s target is determined by script programming inside the email or web page, and you can’t easily or reliably determine where it leads. If you see this, treat the email as very suspicious. (Scripting of clicks isn’t evil by itself, but because you can’t see what the script will do if you click the link, you have to assume the worst.)

If the actual URL doesn’t look like it leads to the organization you expected, stop! And even if it looks reasonable, you should examine it carefully, as we will explain.

In my sample phishing email, I found that the real link was this:

http://highendrecruiting.com/wp-content/USbank/

The USbank part might have seemed plausible if the letter hadn’t said it was from Bank of America, but look at the domain name, the part between // and the first /. highendrecruiting.com is not what you’d expect for a bank website.

Other URLs aren’t so obviously bogus. Another phishing email I received had a link to http://bofamerica.online.tc/sitekey/. Doesn’t look so bad, does it? But start at the end of the domain name and work backward. The .tc at the end is a dead giveaway. Tc is the country code for the Turks and Caicos Islands. It’s a lovely place, but Bank of America isn’t based there!

A domain name that is clearly invalid is a dead giveaway that this email is bogus. An all-numeric addresses like http://64.101.32.1012/bankofamerica.com would also have been a sign of an invalid site location. Corporate websites never use numeric addresses.

Finally, notice that the link starts with http: instead of https:, so it’s not a secure web page. No truly secure login page starts with http:.

So this phishing email gave itself away as a fraud; however, some are not so easy to spot. Sometimes the email’s language and formatting are perfect, and only by looking at the URL do you see a clue.

Although the astute observer might not fall for the particular phishing email I got, it’s highly possible that a bleary-eyed, unsuspecting computer user who has not yet had morning coffee might miss its warning signs. This is where Microsoft’s SmartScreen Filter comes in. Figure 34.2 shows an example of what is presented when a suspicious link is clicked.

When the SmartScreen Filter is enabled, Edge and Internet Explorer send every URL you click to Microsoft for screening against a list of known fraudulent or virus-infested websites. In the case of this phishing email, the browser has communicated in no uncertain terms that it is a known dangerous site. Under the More Information item, there is an option to continue to the web page, if desired, but the link states that clicking to proceed is not recommended.

To be sure that the SmartScreen Filter is enabled, open Internet Explorer, click the gear (Settings) icon in the IE toolbar, and then select Safety. If the pop-up menu contains the choice Turn Off SmartScreen Filter, it’s currently on, and you don’t need to do anything. Just press Esc or click outside the IE window. Otherwise, select Turn On SmartScreen Filter.

Then open the Microsoft Edge browser. Click the ... item at the right end of the navigation bar, select Settings, and then scroll down and select View Advanced Settings. Scroll down and be sure that Help Protect Me from Malicious Sites... is turned on.

As stated earlier, when the filter is enabled, every URL you view is sent to Microsoft for checking against a list of known bad sites. This list is built up by feedback from users, information gathered from spam and presumably verified by Microsoft staff. When a site is under investigation, Internet Explorer might prompt you to “vote” on your feeling about the site’s safety.

Regardless of whether SmartScreen flags a web page or not, our recommendation is to never click on any link in any threatening, worrisome, confusing, or unexpected email notification. Instead, if you think the notice might be real, and if the host name in the URL listed in the notification matches a website you actually use, open the real website by typing in the URL by hand.

For notices about unexpected charges to your credit cards or other accounts, check the credit card’s or account’s website directly, to see if there is actually a pending or finalized charge or order you didn’t expect, by typing in the site’s URL by hand.

Otherwise, our suggestion is just to ignore the email, and in the very unlikely event that a bogus charge does appear, contact your credit card company to dispute it.

If you’re using the new Modern-style Microsoft Edge browser, click the ... symbol at the top of the browser, and select Send Feedback. Then Report Unsafe Site.

In Internet Explorer, click the gear (Settings) icon in the IE toolbar; then select Safety, Report Unsafe Website.

Follow the prompts to complete the report.

You can view the site’s certificate information by clicking the lock icon, and it will show up against a red background if there is anything odd about the site’s certificate.

The lock section of the address bar is shaded green if the site’s identity is (reasonably) assured with Extended Validation (previously High Assurance SSL) certificates. This indicates that the site has submitted to a rigorous identification process and has paid for the new certificate type.

If you do use a public computer to conduct personal business, consider using private browsing, where the browser deletes all information about your browsing activity when you close it. Most browsers have this capability. In Microsoft’s browsers, the feature is called InPrivate Browsing. To use it in Edge, click the ... icon at the right side of the window, and then select New InPrivate Window. In Internet Explorer, press and release the Alt key to display the menu, and then select Tools, InPrivate Browsing. Be sure to close all browser windows when you’re finished working.

If InPrivate Browsing doesn’t work with the site you’re using and you have to use a browser in its normal mode, be absolutely sure to sign out of any website you logged on to. And when you’re finished, before you walk away, clean up the browser’s cache of retained information using these steps. Here are instructions for Windows 10:

If you’re using the Microsoft Edge web browser, select the ... item at the right end of the navigation bar, select Settings, scroll down to Clear Browsing Data, click Choose What to Clear, check all the items, and then click Clear.

If you’re using Internet Explorer, click the gear (Settings) icon on the toolbar, and then select Safety, Delete Browsing History. By default, Temporary Internet Files and Website Files, Cookies and Website Data and History are checked. Check Form Data and Passwords as well; then click Delete.

Previous versions of Windows and other web browsers have similar tools, but you might have to hunt for them.

If you’re out and about, it’s much safer to use your own computer, tablet, or smart phone to reach the Internet. Even public WiFi has its risks, though. Always be sure to type https: rather than http: for URLs when you browse or conduct business over a WiFi connection outside your home or office.

The system works by placing a unique signature on your computer. When you visit the site and provide a valid account name, the site checks this to see whether your computer has been used successfully before. If it has, the picture of the sunset (for example) is displayed along with the password prompt. You will recognize the picture, know it’s the right site, and type in the password. Nice plan. But what if you are at a computer that you don’t usually use? In that case, you will be asked to answer some additional security questions before the site will display the secret symbol and ask for your password.

Using two factors to prove who you are is much better than using a password alone: Whereas a password can be electronically stolen, obtaining both a password and a unique physical device—or a finger, for that matter—is substantially more difficult.

One challenge with two-factor authentication is that the computer must be capable of validating the “something you have.” For example, to scan your finger for authentication, the computer must be equipped with a fingerprint reader. To use a special electronic token, you need a piece of equipment that can validate the token. When you consider that some institutions have millions of customers, the cost of extra hardware adds up.

Windows includes built-in support for new and better two-factor security devices such as biometric readers, so hopefully, the use of this sort of equipment will increase. (On the other hand, with all the large-scale data thefts we see these days, I doubt that even these security measures will be useful in the long term. Once “XXX Corp.” accidentally leaks a few hundred million electronic fingerprint records, the scheme won’t be worth using anymore.)

A different, complex password for every site is the right way to go, but it’s impossible to remember them all. You might end up cutting and pasting the information from a Word document every time you log on, but this is incredibly unwieldy, and most people end up going back to the one-password-everywhere-who-would-care-about-my-data-anyway method.

You can take up your web browsers’ offers to memorize passwords for you, and that’s a partial help, but, you’re still stuck keeping manual records of your many passwords for when you travel and as a backup.

There’s another way, though, using third-party tools. Password-management programs keep track of all your various usernames and passwords and store them in a safe, encrypted format. They often have browser-integrated features that, with your permission, automatically fill in your credentials by site. Programs such as Roboform, LastPass, and 1Password provide one-click logons and enable you to use diverse and more complex usernames and passwords because you don’t have to remember them. However, you can still get them out of the program when you want to. It’s nice to know that with so many people focused on making life difficult with malware, innovative and pragmatic software developers are making life on the Web easier.

Although the most important cost involved with spam is in human time—time spent reading, deleting, and devising ways to fight it—there’s actually a huge environmental cost as well: To filter out the estimated 95 trillion junk emails sent in 2010, computers burned through enough electricity to generate more than 28 million metric tons of CO₂ emissions. In 2016, the volume of spam appears to have dropped to about half the volume in 2010, due to better spam filtering by online email providers and the takedown of some criminal enterprises, but the numbers are still staggering.

Thankfully, antispam technology continues to get better, and you can take several practical steps to both make spam less of a nuisance and reduce the risk that it will lead to even more serious problems, such as email-borne viruses and information theft.

If you want to avoid spam, it helps to understand a bit about how you get targeted in the first place. Spammers generally find email addresses by harvesting them from public sources, such as message boards or web pages. They buy them from website operators who aren’t above selling email addresses they’ve collected from visitors, registration pages, or guest books. They may distribute virus software that steals email address books from victims’ computers. They also use special programs called spambots to methodically crawl the Web for email addresses wherever they might be. Then, because they’re not above scamming their own customers, they pad their lists with a huge percentage of email addresses they just make up using common names and domain suffixes. Because little cost or penalty is associated with sending spam to the wrong email address, spammers trade and compile enormous email lists, with many incorrect and probably some legitimate addresses as well. If your email address ends up on one of these lists, it will probably stay there, so the best defense is to keep your email address off the list in the first place.

And it should go without saying: never purchase anything, hire anyone, or respond in any way to any offer you receive in a spam solicitation, no matter how appealing it might be. That only validates spam as an effective marketing tool.

Another way to reduce spam is to use multiple email addresses for different purposes. One email address could be a primary address for trusted friends or merchants, and another could be for sites that are less familiar or for times you need to register with a site for a one-time use. Keeping one address for important communications and another for “junk email” not only is effective at reducing spam, but also can help protect you in other ways. In the phishing example earlier in this chapter, an email arrived from PayPal at my junk email address, yet I knew I had provided PayPal with my trusted email address, so it was a clear red flag. This approach works even better if you have yet more-specific email addresses for important lines of communication. Free email address services abound. Many of them have good spam-filtering capabilities, so they make good choices for a junk email address. (I’m very impressed with Gmail.)

Better yet, some email systems let you add a suffix to your email address. For example, if my address is [email protected], I can also use [email protected] and [email protected]; in fact, I can use brian+anything@myisp.com. If you have such a service, make up a distinct email address every time you register your email address on a website. Then, if one of these appears in a spam list, you can block just that address and never be bothered by it again. (And send a nastygram to the website owner while you’re at it.)

Besides filtering by email service providers, some email programs can perform filtering as well. Microsoft Outlook, which is part of the Office productivity suite, includes spam filtering. Most third-party email programs offer spam filtering as well.

You may also install an aftermarket spam filter as an add-on. It will insert itself between your email program and the Internet. There are even some plug-in hardware devices that protect from spam at the network level.

If you still get large quantities of spam, you might consider changing email providers. Or you might keep your current account and have it forward all of your email to an account on a service with better filtering. Then read your email on the second service.

Some spammers appear repentantly courteous. That is, they have violated your inbox by being there uninvited, but now that they have your attention, please don’t be offended, because you can simply click this link to opt out of receiving any more spam from them. Honest.

Do not reply to spam that claims to provide an “opt out” or “unsubscribe” link. By clicking the link in an attempt to stop receiving spam, you are confirming that your email address is good. You are just increasing your value as a spam target, and your spam level likely will increase. In fact, it’s a good idea to never respond to spam, especially to buy anything. Although it is possible some well-intentioned but ill-advised vendors are using spam to sell legitimate products, all purveyors of spam are suspect simply because of the insidious nature of the communication: unsolicited, unauthorized, unwelcome, and often illegal. Avoid spam like the plague it is. If you suspect an email message is spam, you’re probably right. Don’t opt out. Don’t even open it; just delete it or click your email program’s “This is spam” button.

Read the terms of use and privacy policies when you register with a website to make sure the site will not sell or share your information. Often at the end of the form are preselected check boxes indicating that you’d love to receive email from them, their sponsors, their affiliates, and so on. Clicking those boxes is considered opting in and permits them to legally bombard you with spam. Many spammers disregard the law anyway, but it’s never a good idea to give them carte blanche with your inbox.

The right way for an upstanding website to manage an email list is called confirmed opt-in, and you’ve probably used it before. Good citizens of the Internet will not start sending email to you until they have confirmed, by receiving email from your email address, that you actually want it. Without such confirmation, anyone could type your email address into a hundred different Send Me Mail forms, some of which are perhaps distasteful, and every day you’d have an inbox full of junk. This is such an important premise that, in general, if it’s not a confirmed opt-in, it might as well be spam.

Junk email can come from the most unlikely sources. Well-intentioned relatives bent on protecting their loved ones from syringes on movie seats, international kidney thieves, or cancer-causing agents in shampoo are responsible for a type of spam that’s hard to avoid because, although it might be tempting, you don’t want to filter everything that comes from them. And if you feel the urge to forward a tantalizing or tender tidbit, before asking others to spend time reading the message, take a moment to search and make sure it’s true.

Many commercial Internet sites provide readily available tools to report suspicious activity. For example, eBay and PayPal request that you forward suspected fake emails to [email protected] or [email protected], respectively. They will quickly take appropriate action. Responsible sites display security or fraud-related links on the front page, so you can easily find their preferred mode of communication. If you suspect a phishing scam, consider taking a moment to find the right email address and report it. You may save someone else a lot of heartache and will validate your own “sleuthiness.” If you stumble upon a suspected phishing site with Internet Explorer, report the site using the SmartScreen Filter tool discussed under “Flagging a Fraudulent Site,” earlier in this chapter.

Reporting spam can be easy, too. Free email services used with a web browser often provide a “report spam” button that can automatically notify the provider to take action. This removes the message from your inbox and, more importantly, could help eliminate hundreds of thousands of other copies in other people’s inboxes.

If you prefer to use a separate email program, such as Windows Mail, a plethora of add-ons can help you report and eliminate most spam. Some of the most interesting and effective ones use collaborative networks. Like the free email services that have potentially millions of users, these add-ons are based on the premise that humans can filter spam better than any algorithm alone. When a number of users identify a particular message as spam, the other members of the network can be spared the trouble. It’s a successful strategy used by companies such as Cloudmark, and there are other successful strategies as the field continues to evolve to provide convenient, active ways to fight spam.

On the other hand, there are not-quite-so-convenient yet more active ways for those who desire to “get medieval” on spammers. With a little practice, it’s not difficult to track down email headers using publicly available Internet resources. You can often identify the service provider whose network was used to send spam, and they can opt to shut down the spammer’s Internet access if enough complaints are received. Additionally, the Federal Trade Commission encourages you to forward spam to the appropriate governmental agencies for analysis. Consider forwarding particularly obnoxious spam to one of the following addresses:

Type of Spam	Forward to
Asking you to send money through the U.S. mail	[email protected]
Prescription drugs, medical devices, dietary supplements	[email protected]
Nonprescription drugs	[email protected]
Stocks or bonds	[email protected]
“Nigerian”-type scams	[email protected]
Any sort of spam	[email protected]

The government will likely not respond to individual complaints, but it will go after the worst spammers. Every so often you hear of an arrest, followed by a distinct downturn in the daily worldwide volume of spam.

Finding the registrar for a given domain name can be cumbersome. You can find the registrar information for any .aero, .arpa, .biz, .com, .coop, .edu, .info, .int, .museum, .net, or .org domain via the following web page: www.internic.net/whois.html.

The search results from this page indicate the URL of the whois lookup page for the associated domain registrar. Enter the domain name again on that page, and you should see the contact information.

It’s a bit harder to find the registrar associated with two-letter country code domains ending in, for example, .au, .de, .it, and so on. The InterNIC site recommends searching through www.uwhois.com.

You can find the owner of an IP address (for example, the address from which an email arrived) through a similar lookup at www.arin.net/whois. Enter an IP address to find the owner of the block of IP addresses from which the specific address was allocated. This is usually an ISP or, in some cases, an organization that has had IP addresses assigned to it directly. You might have to visit www.apnic.net or another registry.