My 03/02/08 Missoulian column
Most of us probably have received a phishing e-mail at one time or another – one of those fake e-mails that purports to warn us that our bank account or an account with an online retailer has been “accessed” and needs to be checked right away, or that our account information needs to be updated. With the arrival of tax season, I’ve even received phishing e-mails from the “IRS” offering a tax refund. These e-mails contain links that take you to a hacked Web site that will steal your account information.
According to a leading company that fights phishing, there was a new scheme every three seconds in 2007, and chances are they will pop up more often in 2008. The Department of Homeland Security’s Computer Emergency Readiness Team has even issued warnings and advice about phishing and scam Web sites.
The best phishing defense is common sense – a lot of the time that will protect you from getting hooked – but there also are some software applications that can help you: a good Web browser and an anti-phishing toolbar. (Remember, phishing schemes don’t care if you use Windows or a Mac.)
First realize that although many of these schemes arrive via your e-mail in-box, you can also come across a phishing site through an Internet search. That’s because hackers exploit ways to get their Web sites to rank high in search results just as legitimate businesses do so they can snag victims. Google, Yahoo! and MSN have begun to employ phishing guard systems that warn you of sketchy Web sites in the search window, and that’s helpful.
Another trick phishers use doesn’t involve e-mail or search engines – it’s called “typo-squatting.” They register a Web address that is a common misspelling of a legitimate site, hooking victims who enter addresses incorrectly with a convincing copy of the real Web site. So if a site you arrive at looks a bit “off,” double check the address bar in your browser and retype it carefully. There are thousands of typo-squatting sites out there, waiting for the unaware.
One of the best anti-phishing tools at your disposal is the Firefox Web browser. On Windows-based computers, Microsoft’s Internet Explorer browser still falls victim to security bugs at least a few times a year. While many are patched some remain open and are being exploited by hackers as we speak.
Firefox isn’t 100 percent perfect, but because it is open source and many people contribute to the code, security holes generally get fixed faster. The average fix for a Firefox security bug is a few days, as opposed to IE, which can be months. Firefox is easy to install and will import all of your favorites. If you want to stay with Internet Explorer, the best thing you can do is upgrade to version 7 through Windows Update.
Anti-phishing browser toolbars also are available for IE and Windows and Mac versions of Firefox. (Toolbars offer many other features besides the detection of phishing and fraud sites.) Toolbars from Google and EarthLink rank about the highest among the many available, but none detects 100 percent of phishing sites, so don’t abandon your common sense.
The anti-phishing feature on Google’s toolbar – called Safe Browsing – warns you of potential fraud sites. Earthlink’s toolbar is for Windows systems only. In addition to its anti-virus software, McAfee produces SiteAdvisor, which ranks sites during Web searches and warns of potential fraud. It’s a plug-in for Firefox and a toolbar for IE.
If you want to get into the back end of the some of this anti-phishing technology, go to Phishtank, which provides data on phishing sites to Yahoo! search and for the Firefox toolbars. At Phishtank, you can check URL yourself to find out if they belong to phishing sites. Also, the Anti-phishing Working Group is a global, pan-industrial and law enforcement association working to eliminate fraud with leading high-tech companies as members.
If you want some tools to help you stay away from phishing sites, try Firefox and a toolbar, but don’t abandon your common sense. When in doubt, call your bank or online retailer, or check their e-mail and anti-fraud policies on the Web site by typing in the URL yourself.
Most reputable online services have raised their anti-phishing defenses – they won’t ask you to click on an e-mail link to check your account and have also implemented additional security measures to ensure you’re at the correct site and not a lookalike phishing site.
Follow-up: Have you seen the TV public service announcements about the digital TV changeover? February 2009 isn’t that far away. Go to www.dtv2009.gov for more information or call the 24-hour hot line, 1-888-DTV-2009.
Next week: More social engineering scams.