Don’t do it.
Don’t click on links in any e-mail messages you receive that ask, or demand, that you update credit card, bank, Social Security, or other financial information or verify your password at eBay, PayPal, or other e-commerce Web sites. If you do, in all likelihood you’ll wind up spending many tedious hours trying to recover your stolen identity.
You may have heard all this before, but many people still have not. Identity theft via bogus e-mail links, or “phishing,” is escalating, with criminals becoming ever more brazen and sophisticated in their online schemes to trick people into revealing their personal information.
Warn anybody you know who uses a computer about this, particularly those who may not be as savvy as you.
If you’ve noticed an increase in these assaults lately, you’re right. The number of phishing attacks against e-mail users has been doubling every 2 months, according to the Anti-Phishing Working Group (http://www.antiphishing.org).
People do get scammed. Phishing messages that appear to be sent by trusted companies dupe 3 percent of the people who receive them, according to a survey by Gartner, Inc. Last year, phishing cost U.S. banks and credit card companies $1.2 billion. These costs are ultimately passed on to you, the consumer.
The tricksters are getting trickier. One of the newest scams involves “context-aware” phishing, according to Markus Jakobsson, a cybersecurity expert at Indiana University School of Informatics. The e-mail message makes it seem that it must be legitimate because of the knowledge about you or your work or personal relationships that it contains.
The e-mail might seem to come from your boss or a trusted colleague warning you of a new Internet security threat involving your specific credit card company or bank and telling you to go to its Web site to change your password. Just to be “helpful,” the sender provides you with a link in the e-mail message.
But if you click on the link, you’ll be taken to a bogus Web site that looks just like the legitimate Web site. You thus won’t think twice about typing in your login name and current password, thereby allowing the scammer to charge your credit card or empty your bank account.
With these as well as more garden-variety phishing e-mails that appear to come from the company itself, the most commonly named companies, in order, are Citibank, eBay, U.S. Bank, and PayPal, according to the Anti-Phishing Working Group. But customers of other well-known companies are being targeted too, including AOL, Lloyd’s, Wells Fargo, and VISA.
Most legitimate businesses (such as the ones mentioned in the previous paragraph) won’t ask you to verify your financial information in an e-mail message. (A few legitimate companies may still do this. They should stop.)
Another new phishing scam doesn’t even require you to click on a link in an e-mail message. It takes advantage of security vulnerabilities within Windows to trigger a “script” within the e-mail message that changes how Microsoft Internet Explorer reads Web addresses. You think you’re going to your bank or credit card company’s Web site by typing in its address or using a “Favorites” link, but the script insidiously takes you to the scam site.
All this might make you want to toss your computer into the nearest toxic waste dump and go back to writing letters with a quill pen. But it’s easy to protect yourself.
First, never—repeat, never—click on a link in an e-mail message that purports to take you to a Web site where you store personal financial information.
If you want to update your credit card, banking, or similar information on the Web, go to your Web browser. Type in the Web site’s address yourself or use a Favorites or Bookmarks link that you previously created yourself.
Second, keep your antivirus and firewall software up-to-date (you are using these protections, right?). Norton AntiVirus, for instance, automatically disables the Windows Scripting Host, which creates the vulnerability allowing nefarious scripts within e-mail messages to do their dirty work. Don’t forget to keep Windows up-to-date as well with Microsoft’s security patches.
Finally, consider additional software solutions. Browsers other than Microsoft Internet Explorer are less vulnerable, as are e-mail programs other than Microsoft Outlook or Microsoft Outlook Express.
The next version of the e-mail program Eudora Pro (http://www.eudora.com) will include anti-phishing protections. Opaque (http://www.privacyinc.com) creates virtual e-mail addresses, protecting your real e-mail address. SpoofStick (http://www.corestreet.com/spoofstick) makes it easier to spot a fake Web site if you’re using Microsoft Internet Explorer or Mozilla Firefox.
Reid Goldsborough is a syndicated columnist and author of the book Straight Talk About the Information Superhighway. He can be reached at firstname.lastname@example.org or reidgold.com.