Don’t do it.
Don’t click on links in any e-mail messages you
receive that ask, or demand, that you update credit
card, bank, Social Security, or other financial information
or verify your password at eBay, PayPal, or other e-commerce
Web sites. If you do, in all likelihood you’ll
wind up spending many tedious hours trying to recover
your stolen identity.
You may have heard all this before, but many people
still have not. Identity theft via bogus e-mail links,
or “phishing,” is escalating, with criminals
becoming ever more brazen and sophisticated in their
online schemes to trick people into revealing their
Warn anybody you know who uses a computer about this,
particularly those who may not be as savvy as you.
If you’ve noticed an increase in these assaults
lately, you’re right. The number of phishing attacks
against e-mail users has been doubling every 2 months,
according to the Anti-Phishing Working Group (http://www.antiphishing.org).
People do get scammed. Phishing messages that appear
to be sent by trusted companies dupe 3 percent of the
people who receive them, according to a survey by Gartner,
Inc. Last year, phishing cost U.S. banks and credit
card companies $1.2 billion. These costs are ultimately
passed on to you, the consumer.
The tricksters are getting trickier. One of the newest
scams involves “context-aware” phishing,
according to Markus Jakobsson, a cybersecurity expert
at Indiana University School of Informatics. The e-mail
message makes it seem that it must be legitimate because
of the knowledge about you or your work or personal
relationships that it contains.
The e-mail might seem to come from your boss or a trusted
colleague warning you of a new Internet security threat
involving your specific credit card company or bank
and telling you to go to its Web site to change your
password. Just to be “helpful,” the sender
provides you with a link in the e-mail message.
But if you click on the link, you’ll be taken
to a bogus Web site that looks just like the legitimate
Web site. You thus won’t think twice about typing
in your login name and current password, thereby allowing
the scammer to charge your credit card or empty your
With these as well as more garden-variety phishing
e-mails that appear to come from the company itself,
the most commonly named companies, in order, are Citibank,
eBay, U.S. Bank, and PayPal, according to the Anti-Phishing
Working Group. But customers of other well-known companies
are being targeted too, including AOL, Lloyd’s,
Wells Fargo, and VISA.
Most legitimate businesses (such as the ones mentioned
in the previous paragraph) won’t ask you to verify
your financial information in an e-mail message. (A
few legitimate companies may still do this. They should
Another new phishing scam doesn’t even require
you to click on a link in an e-mail message. It takes
advantage of security vulnerabilities within Windows
to trigger a “script” within the e-mail
message that changes how Microsoft Internet Explorer
reads Web addresses. You think you’re going to
your bank or credit card company’s Web site by
typing in its address or using a “Favorites”
link, but the script insidiously takes you to the scam
All this might make you want to toss your computer
into the nearest toxic waste dump and go back to writing
letters with a quill pen. But it’s easy to protect
First, never—repeat, never—click on a link
in an e-mail message that purports to take you to a
Web site where you store personal financial information.
If you want to update your credit card, banking, or
similar information on the Web, go to your Web browser.
Type in the Web site’s address yourself or use
a Favorites or Bookmarks link that you previously created
Second, keep your antivirus and firewall software up-to-date
(you are using these protections, right?). Norton AntiVirus,
for instance, automatically disables the Windows Scripting
Host, which creates the vulnerability allowing nefarious
scripts within e-mail messages to do their dirty work.
Don’t forget to keep Windows up-to-date as well
with Microsoft’s security patches.
Finally, consider additional software solutions. Browsers
other than Microsoft Internet Explorer are less vulnerable,
as are e-mail programs other than Microsoft Outlook
or Microsoft Outlook Express.
The next version of the e-mail program Eudora Pro (http://www.eudora.com)
will include anti-phishing protections. Opaque (http://www.privacyinc.com)
creates virtual e-mail addresses, protecting your real
e-mail address. SpoofStick (http://www.corestreet.com/spoofstick)
makes it easier to spot a fake Web site if you’re
using Microsoft Internet Explorer or Mozilla Firefox.
Reid Goldsborough is a syndicated columnist and author
of the book Straight Talk About the Information Superhighway.
He can be reached at firstname.lastname@example.org