Don t Get Phished: 10-Minute Tactics to Stay Off the Hook

Don't Get Phished: 10-Minute Tactics to Stay Off the Hook

Phishing is an Internet threat that can be easily avoided with a little common sense and some simple technical know-how. Here are several anti-phishing techniques you can implement in about 10 minutes each.

They Won't Ask, You Don't Tell

Banks and other financial institutions are tuned into phishing scams, so they never ask you to verify your user ID, password, or other personal information via email. If you are in any doubt, call the bank or institution and ask. The best course of action is to communicate with the company directly by phone or in person and delete the email. Never reply to it.

Use Caution and Cut and Paste

If you ever receive an email that asks you to click an included link, the safest thing to do is to cut and paste that link directly into your web browser's address field. This is the best way to avoid being fooled by phishing emails.

Follow these steps to cut and paste a link:

1.	Place your mouse to the left of the link, hold the left mouse button down, and drag to the right so the whole link is highlighted.
2.	Go up to the Edit menu in your email program and choose Copy (using the shortcut key Ctrl+C also works).
3.	Open your web browser. Click in the address field, click the Edit menu, and choose Paste (Ctrl+V also pastes the address).
4.	Click Go to the right of the address field to load the link.

Communicate Securely

You will often have occasion to fill out a form on the web. When you do, be sure that the form is on a secure web page. These web pages use encrypted (scrambled) data. Anybody watching this data as it flows across the Internet sees a stream of nonsense information.

Here's how to check to see if you're on a secure web page:

Caution

Phishers are getting more sophisticated so it won't be long before they implement secure web pages themselves to extend the illusion, but a web page that asks for personal information with an unlocked symbol at the bottom of the browser is a very good indicator that a site is a phake.

The web address of a secure page includes the prefix https ://. Note the s in https://. Insecure sites begin with http://.
When on a secure web page, your web browser displays a closed gold lock in the bottom-right corner of the browser window (see Figure 4.7). I hate to scare you but there is a minor problem with the lock icon. Phishers have been known to create clever emails that disguise the parts of the web browser with an overlay (a digital version of a sticker). They have done this before with the overlay of the address bar that shows a bank's real address masking the fake address underneath. This technique is easy to do over the lock icon, too. The way around it: Move the browser window. The overlay stays in place but the browser window moves.

Figure 4.7. A closed gold lock in the bottom-right hand side of Internet Explorer shows that the web page is secure and data sent from it is encrypted. It's inadvisable to make purchases from any website that isn't encrypted.

Install an Anti-spam Filter

Spam is unsolicited commercial email. It's the Internet equivalent of those letters addressed to Occupant that show up at your door offering furnace cleaning and raccoon removal.

I deal with anti-spam techniques in depth in Chapter 5, "Spam: Unwanted Email from Hell," but it is worth a mention here because spam filters can identify and filter phishing emails.

Of particular note is Cloudmark Desktop, a plug-in program that works with Microsoft Outlook and Microsoft Outlook Express. More than one million SafetyBar users flag email they consider spam with the program. That information is shared on a common server at Cloudmark. SafetyBar works by comparing each email that arrives in your inbox with the Cloudmark database (see Figure 4.8). If an email looks like spam, it's moved to a separate Spam folder in your email program or it's deleted (your choice).

Figure 4.8. Cloudmark Desktop filters email in Outlook by cross-referencing inbound messages against a database of known spam and phishing emails.

The system also has an anti-fraud button with which SafetyBar users can mark phishing emails. These are filtered like spam by the program. And it comes with a plug-in for Internet Explorer. It warns you about unsafe websites as you surf.

Tip

To improve your browser security, I recommend that you install and use the Firefox web browser as much as possible. Although it has had some security problems (that were promptly fixed) in the past, it's much more secure than Microsoft's Internet Explorer web browser. Firefox can be downloaded free from www.mozilla.org and is available for the Mac, PC, and other computer platforms.

The software (available at www.cloudmark.com) is not free, but is definitely worth the $39.95 annual fee.

Block Phishing Sites with NetCraft

A really good freebie program called NetCraft rates the website you are browsing and tells you how trustworthy it is (see Figure 4.9). It also blocks websites that it has identified as phishing sites. I highly recommend you install this program. It can be turned off when you don't need it, and turned on when you encounter a site of which you are unsure. The program comes in versions for both Firefox and Internet Explorer and is available from www.netcraft.com.

Figure 4.9. The NetCraft toolbar blocks a faked SouthTrust banking website, identifying it as a phishing site.

Carry a Big Spoofstick

You can install a free program called Spoofstick as an add-in (often called a plug-in) for your web browser that helps you identify if you're on a bogus website. The program displays the web address you're at in big text at the top of the web browser.

Some Internet crooks use slightly modified web addresses on their bogus sites. So if they faked my website Cyberwalker.com, they might set up a website called Cyberwaalker.com or Cyerwalker.com, two slightly misspelled addresses you might not notice. Spoofstick makes it easier to spot a spoofed website by jacking up the size of the text of the web address (see Figure 4.10).

Figure 4.10. On this faked SouthTrust website, the IP address (displayed in large font by the Spoofstick program) is a good indication that the site is a fake.

A common phishing practice is to send a user to a website using its IP address. A clue to a spoofed site would be the presence of the IP address in the address field of your browser instead of the dotcom name . Spoofstick makes this more obvious, too. Spoofstick is free and available for both Internet Explorer and Firefox from www.corestreet.com/spoofstick/.

Keep Your Antivirus and Anti-Spyware Programs Up-to-Date

Many antivirus programs can detect malicious attachments that arrive via email. This includes Trojan horses and key loggers, two types of malicious software that install programs on your computer that can record your personal data and make it available to crooks via the Internet. So be sure to update your virus signatures by using the program's updater .

Anti-spyware programs, mentioned in Chapter 2, can also spot and block Trojan horses and key loggers.

Keep Your Computer Software Up-to-Date

Ensure that you keep your computer software up-to-date with the latest bug fixes. Both Microsoft and Apple issue regular security fixes via the Internet.

Microsoft issues its security fixes through the website http://windowsupdate.microsoft.com. This is also accessible by clicking the Windows Update icon on your Start menu.

Also check with the maker of your email program to ensure it is up-to-date with the latest security patches.

If you have Windows XP with Service Pack 2 (SP2), updates for your computer are downloaded automatically and you are alerted when they are read to be installed.