Don't Get Phished: 10-Minute Tactics to Stay Off the Hook
Phishing is an Internet threat that can be easily avoided with a little common sense and some simple technical know-how. Here are several anti-phishing techniques you can implement in about 10 minutes each.
They Won't Ask, You Don't Tell
Banks and other financial institutions are tuned into phishing scams, so they never ask you to verify your user ID, password, or other personal information via email. If you are in any doubt, call the bank or institution and ask. The best course of action is to communicate with the company directly by phone or in person and delete the email. Never reply to it.
Use Caution and Cut and Paste
If you ever receive an email that asks you to click an included link, the safest thing to do is to cut and paste that link directly into your web browser's address field. This is the best way to avoid being fooled by phishing emails.
Follow these steps to cut and paste a link:
You will often have occasion to fill out a form on the web. When you do, be sure that the form is on a secure web page. These web pages use encrypted (scrambled) data. Anybody watching this data as it flows across the Internet sees a stream of nonsense information.
Here's how to check to see if you're on a secure web page:
Install an Anti-spam Filter
Spam is unsolicited commercial email. It's the Internet equivalent of those letters addressed to Occupant that show up at your door offering furnace cleaning and raccoon removal.
I deal with anti-spam techniques in depth in Chapter 5, "Spam: Unwanted Email from Hell," but it is worth a mention here because spam filters can identify and filter phishing emails.
Of particular note is Cloudmark Desktop, a plug-in program that works with Microsoft Outlook and Microsoft Outlook Express. More than one million SafetyBar users flag email they consider spam with the program. That information is shared on a common server at Cloudmark. SafetyBar works by comparing each email that arrives in your inbox with the Cloudmark database (see Figure 4.8). If an email looks like spam, it's moved to a separate Spam folder in your email program or it's deleted (your choice).
Figure 4.8. Cloudmark Desktop filters email in Outlook by cross-referencing inbound messages against a database of known spam and phishing emails.
The system also has an anti-fraud button with which SafetyBar users can mark phishing emails. These are filtered like spam by the program. And it comes with a plug-in for Internet Explorer. It warns you about unsafe websites as you surf.
The software (available at www.cloudmark.com) is not free, but is definitely worth the $39.95 annual fee.
Block Phishing Sites with NetCraft
A really good freebie program called NetCraft rates the website you are browsing and tells you how trustworthy it is (see Figure 4.9). It also blocks websites that it has identified as phishing sites. I highly recommend you install this program. It can be turned off when you don't need it, and turned on when you encounter a site of which you are unsure. The program comes in versions for both Firefox and Internet Explorer and is available from www.netcraft.com.
Figure 4.9. The NetCraft toolbar blocks a faked SouthTrust banking website, identifying it as a phishing site.
Carry a Big Spoofstick
You can install a free program called Spoofstick as an add-in (often called a plug-in) for your web browser that helps you identify if you're on a bogus website. The program displays the web address you're at in big text at the top of the web browser.
Some Internet crooks use slightly modified web addresses on their bogus sites. So if they faked my website Cyberwalker.com, they might set up a website called Cyberwaalker.com or Cyerwalker.com, two slightly misspelled addresses you might not notice. Spoofstick makes it easier to spot a spoofed website by jacking up the size of the text of the web address (see Figure 4.10).
Figure 4.10. On this faked SouthTrust website, the IP address (displayed in large font by the Spoofstick program) is a good indication that the site is a fake.
A common phishing practice is to send a user to a website using its IP address. A clue to a spoofed site would be the presence of the IP address in the address field of your browser instead of the dotcom name . Spoofstick makes this more obvious, too. Spoofstick is free and available for both Internet Explorer and Firefox from www.corestreet.com/spoofstick/.
Keep Your Antivirus and Anti-Spyware Programs Up-to-Date
Many antivirus programs can detect malicious attachments that arrive via email. This includes Trojan horses and key loggers, two types of malicious software that install programs on your computer that can record your personal data and make it available to crooks via the Internet. So be sure to update your virus signatures by using the program's updater .
Anti-spyware programs, mentioned in Chapter 2, can also spot and block Trojan horses and key loggers.
Keep Your Computer Software Up-to-Date
Ensure that you keep your computer software up-to-date with the latest bug fixes. Both Microsoft and Apple issue regular security fixes via the Internet.
Microsoft issues its security fixes through the website http://windowsupdate.microsoft.com. This is also accessible by clicking the Windows Update icon on your Start menu.
Also check with the maker of your email program to ensure it is up-to-date with the latest security patches.
If you have Windows XP with Service Pack 2 (SP2), updates for your computer are downloaded automatically and you are alerted when they are read to be installed.