Hack 37. Don't Get Reeled In by Phishers
Watch out the next time your bank, eBay, or PayPal sends you an email asking for account information; it might be a scammer on a "phishing" expedition that will send you to a web site to steal your account information. Here's what you can do to make sure you don't become the catch of the day.
Of all the obnoxious scams circulating on the Internet, the worst might be phishing attacks, in which you're sent a spoofed email that appears to be from a bank, eBay, PayPal, or other financial institution. Often, the email address appears to be a valid email address, and the email includes the institution's logo and looks exactly like any other email you might get from it. Many of the links in the email will lead to the real site as well.
The email tells you that you need to log into your account for some reasonperhaps to verify your personal informationalthough often, you're told you need to log in because the institution's fraud-detection team has found suspicious activity in your account and needs you to provide information about it.
These emails can be exceedingly convincing. For example, the email shown in Figure 4-14 looks real, but in fact, it isn't from PayPal. If you click the link at the bottom of the message, you'll be sent to a site that looks like PayPal.
Figure 4-14. A phishing email, made to look like a message from PayPal
The site shown in Figure 4-15 looks just like the regular PayPal site. With such fraudulent sites, the design and logo will be the same, and in some instances, even the URL will look authentic.
Figure 4-15. A spoofed version of the PayPal site
But the site is a fraud. When you log in, the phisher steals your username and password. Then he can empty the bank account associated with your PayPal account or use that information in identity theft to open up new accounts and take out new credit cards in your name.
How effective are phishing attacks? According to the antiphishing organization Anti-Phishing Working Group (http://www.antiphishing.org), up to five percent of people who get phishing emails are fooled into giving out their private information.
The problem is only getting worse. The Anti-Phishing Working Group says phishing expeditions are increasing at a rate of 50% per month. The research firm Gartner estimates that 57 million people in the U.S. have received a phishing email. And according to the Truste web site, $500 million was lost in 2003 alone due to phishing attacks.
Increasingly, phishing attacks aren't conducted by lone individuals. Instead, they are tied to organized crime. In November 2004, for example, a suspected member of the Russian mob was arrested for allegedly participating in phishing fraud.
4.7.1. What You Can Do About It
Phishing attacks are scary stuff, but you don't have to be victimized. In fact, there are several things you can do to make sure you never get reeled in.
A small window will pop up in the middle of your browser, telling you the actual web site you're visiting, as shown in Figure 4-16. Examine the URL, and you'll see whether you're really visiting the site you think you're visiting. If the address in the window doesn't match what you see in your browser, get thee somewhere else because it's a phishing attack.
As shown in Figure 4-17, this pop-up window includes the real URL of the site you're visiting, as well as the URL displayed in the address bar.
Of course, it's unlikely that you're going to memorize either piece of code and have it on hand every time you visit a web site you worry might be a spoof. So, there's a simpler solution. You can get a nifty, free add-in that will report to you on the real URL of the site you're visiting.
SpoofStick (http://www.corestreet.com/spoofstick) is a free add-in to both Internet Explorer and Firefox that detects phishing attacks. It installs as a toolbar in either browser, so you can turn it on and off when you want. When you're on a site and you're not sure whether the site is a spoof, turn on the SpoofStick toolbar by choosing View Toolbars SpoofStick in either browser. The SpoofStick toolbar will appear, as shown in Figure 4-18, displaying the site's real URL. If the site is a spoof, leave it as quickly as you can; you're about to be victimized by a phishing scam.
Figure 4-18. SpoofStick's evidence of a phishing scam
You can customize the size and color of the "You're On" message by clicking the Options button, choosing Configure SpoofStick, choosing the size (small, medium, or large) and color of the message, and clicking OK.
To turn off the toolbar, choose View Toolbars SpoofStick.
EarthLink, a popular Internet Service Provider (ISP), also offers a free antiphishing toolbar, though it works only with Internet Explorer, not Firefox. Head to http://www.earthlink.net/home/tools and download and install the EarthLink Toolbar. Whenever you visit a site that might be fraudulent, you'll be redirected away from the phishing site and instead sent to the web page shown in Figure 4-19.
Figure 4-19. EarthLink Toolbar's ScamBlocker
If you want to live dangerously by visiting the site even after receiving this warning, click the button at the bottom of the page that reads "Continue to this potentially dangerous or fraudulent site." Even if you click, you won't be sent there unless you also turn off the toolbar's ScamBlocker feature (click the ScamBlocker button so that it turns red).
Which toolbar should you use? I prefer SpoofStick. EarthLink's toolbar works by checking to see whether the site you're visiting is on a list it has of potential spoof sites. And if you're one of the first potential victims and the site hasn't yet been added to the list, you'll be allowed through, but you'll think you're safe.
Of course, the paranoid among us might prefer to use both.
4.7.2. Hacking the Hack
The tools in this hack will go a long way toward making sure you're never the victim of a phishing scam. But you should also take these precautions as well:
To help protect others and set the law enforcement dogs on the phishers, forward the email to the Anti-Phishing Working Group at email@example.com, send a copy to the Federal Trade Commission at firstname.lastname@example.org, and file a complaint with the FBI's Internet Fraud Complaint Center at http://www.ifccfbi.gov.
4.7.3. See Also