Avoiding Phishing Schemes

Personal information is valuable. Some people want to get yours and other people’s through fraudulent means for their own financial gain. They try to trick you into disclosing your information by sending an e-mail message or directing you to a Web site that you think you ought to trust. They disguise their criminal intent by imitating recognizable names and brands. In other words, they go “phishing” with the hope that they’ll catch something-your password or PIN, along with your bank account or credit card number, or just your name and phone number, which are all good places to start if you’re trying to steal another person’s identity. Once criminals have information like this, they might be able to obtain a loan in your name, transfer money from your account to theirs, charge your credit card, and the like.

There are many types of phishing schemes. (For an up-to-date report on phishing schemes that authorities have uncovered, visit the Anti-Phishing Working Group Web site at www.antiphishing.org/phishing_archive.html.) Here are some examples of typical schemes and how you can avoid them:

• Never reply to e-mail messages that request your personal information. Most legitimate businesses have a policy whereby they do not ask you for your personal information through e-mail. Don’t trust a message that asks for personal information even if it appears legitimate. Wording in phishing e-mail messages is usually polite and accommodating. It encourages you to respond to the message or to click the link that is included in the message, often in language that tries to create a sense of urgency. Usually, spoofed e-mail messages are not personalized, though valid messages from your bank or e-commerce company generally are.

  It’s a good rule to never send personal information in regular e-mail messages. Regular e-mail messages are not encrypted. They are plain text that can easily be read. If you have to send an e-mail message that contains information about a personal transaction, use Outlook to digitally sign and encrypt the message. A number of popular e-mail providers and programs support encryption, including MSN, Microsoft Hotmail, Outlook Express, Outlook Web Access, Lotus Notes, Netscape, and Eudora.

• Many phishing schemes ask you to open attachments that can then infect your computer with a virus or spyware. If spyware is downloaded and installed on your computer, it can record the keystrokes that you use to log on to your personal accounts. Any attachment that you want to view should be saved first and then scanned with an up-to-date antivirus program. Outlook blocks attachments of certain file types that can spread viruses. If it detects a suspicious message, attachments of any file type in the message are blocked.

• Do not copy and paste URLs from messages into your browser. It is always best to type a Web address or URL that you know is correct into your browser. Also, you can save the correct URL to your browser’s Favorites list. Some of the techniques that criminals have used to forge links are as follows:

  • Link masks, in which the link you see does not take you to the address that you think it will, but somewhere else, usually a spoofed Web site.

  • A homograph, which is a word with the same spelling as another word but with a different meaning. In computers, a homograph attack is a Web address that looks like a familiar Web address but is actually altered. In more sophisticated homograph attacks, the Web address looks exactly like that of a legitimate Web site.

• Do business only with companies that you know and trust. A business Web site should always have a privacy statement that specifically states that the business won’t pass on your name and information to other people.

• Review your order confirmations and credit card and bank statements as soon as you receive them to make sure that you are being charged only for transactions you made. Report any irregularities in your accounts.

• Use credit cards for transactions on the Internet. Your personal liability in case someone compromises your credit card is significantly limited. By contrast, if you use direct debit from your bank account or a debit card, your personal liability frequently is the full balance of your bank account. In addition, a credit card with a small credit limit is preferable for use on the Internet because it limits the amount of money that a thief can steal in case the card is compromised. Better yet, several major credit card issuers offer customers the option of shopping online with credit card numbers that expire within one or two months.

By default, the 2007 Office release displays security alerts when you click a link in a document to a Web site with an address that has a potentially spoofed domain name or when you open a file from a Web site with an address that has a potentially spoofed domain name. The option appears on the Privacy Options page of the Trust Center, which is shown in Figure 3–12. When you see an alert, you can then choose whether to continue to visit the Web site. Unless you know the site is for real, it’s probably best to click No.

Figure 3–12: By default Microsoft Office notifies you when it suspects a possible phishing attack. The option is listed at the bottom of the Privacy Options list.