• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Mark Ratledge .com

writer and wordpress consultant in montana

  • Home
  • About
  • Articles & Columns
    • Points in Case
    • Slackjaw
    • McSweeney’s
    • Medium
    • Random Tech
    • The Buffalo Post
    • Words on WordPress
    • Rocks and Bones
    • Mac Q & A on Macs and macOS
    • State of the Arts Tech Talk
  • WordPress
  • Contact
You are here: Home / Missoulian Sunday Tech Columns / Don’t Let Phishers Hook You

Don’t Let Phishers Hook You

February 27, 2008 by Mark Ratledge

My 2/27/08 Missoulian column

In Montana, fishing involves luring trout with dry flies in the summer or jigging in winter with tackle and bait. On the Internet, phishers consider you to be the catch, and you might not recognize them for what they are.

Botnets and scammers send out spam messages 24/7, trying to bait recipients into opening an attached file that will install malware that runs invisibly on PCs.

But not all spam contains Trojan horses or spyware, or links to them; some appears to be genuine e-mail from your financial institution or an online store. They urge you to check your account or confirm your account information, playing on your fears by saying the account has has been “accessed” by someone else and will be locked if you don’t take action. These e-mails are phishing scams, and the point is to get you to click on a link to an impostor Web site that will steal your information.

Every year, thousands of people get hooked and lose money and their personal information. According to the New York Times, “More than 3.5 million U.S. adults lost money to phishing scams and online identity theft in the 12-month period that ended in August (2007) a 57 percent increase over the previous year.”

“Social engineering” is the buzzword for the trick behind these high-tech confidence scams, an old craft in the new world of the Internet. It’s easier and takes less time for scammers to trick you into giving away your account information than it is to learn how to really hack a system.

If you click on a link in a phishing e-mail you are taken to a copy of the genuine site that has been downloaded and moved to another server – usually outside of legal jurisdiction – and changed for nefarious purposes. The nature of the Web makes it easy to copy a site and put it on another server in another country were the laws are lax. (There’s even a hacker kit that makes putting a phishing site together point-and-click easy.)

The fake Web site code is changed so any information entered doesn’t go to the bank but to the hackers. It’s bad enough if they get your account or credit card number, but some phish for enough information to steal your identity: your Social Security number, full name, date of birth, mother’s maiden name, etc. Some phishing sites also use security certificates, so they appear to be secure – with an “https” prefix on the URL – but, of course, that means nothing if the entire site is fake.

One giveaway to a phishing site can be the Web address. Advanced phishers use tricks to hide fake URLs, so check the address; if there’s anything in front of the “www” in the standard URL form – www.mybank.com – you should be suspicious.

I like to investigate the phishing e-mails I get – don’t try this at home, kids – and if you know how you can check the URL or the IP number of the phishing site (without downloading malware) with Whois, a phone book-like directory, and discover where the Internet provider is located.

Most IPs from phishing e-mails I have gotten have been from providers in Russia and South America. I’ve gotten a few that took me to a copy of part of the Internal Revenue Service’s Web site. The fake e-mail promised a refund on my taxes, and the phishing site had the IRS graphics and style copied exactly, but it had spelling and grammar mistakes, the IP was from South Korea and the Web site code revealed the hackers e-mail address there.

How do legitimate Web sites fight back? Most financial institutions and popular online sites – such as PayPal and eBay – by policy won’t send you an e-mail concerning your account with a link to their site. They may send an e-mail, but it will require that you go to a site you’ve already bookmarked, type the URL directly into your browser or call the company directly. If in doubt about the e-mail policies of your bank, check with it.

The safest way to go to your bank’s site is to type in the URL yourself, then bookmark the login page. Many bank sites have tried to mitigate phishing risks with features like personalized “site keys” and multiple captchas – images of squiggly letters and or numbers that you must enter on the site – but according to a security firm consulted in the New York Times article, many financial institutions are asleep at the wheel.

You need protect yourself from being hooked, so use common sense and don’t click on e-mail links that ask you to check your account or verify your banking information – they are phishing for you.

Next week: Anti-phishing tools that help uncover scams.

More on last week’s subject: When you run Windows under a limited user account, you can set your anti-virus and Windows updates to run automatically in the administrative account while you use a lower-level account for day-to-day work. That way your system gets updated without you having to log back into the administrative account.


Related Posts:
  • Phishing Scams a Click Away
  • State of the Arts for January/February 2009: Basic Online Security
  • Browsing Tools Can Help Elude Phish Hooks
  • Mac Q & A: Using Two Email Addresses with Apple Mail
  • In Social Engineering, Even The Tidbits Are Valuable

Primary Sidebar

Stack Exchange
profile for markratledge on Stack Exchange, a network of free, community-driven Q&A sites
I'm a "Top Rated" consultant on Upwork

Copyright © 2023 · Mark Ratledge Privacy and Terms of Use