Phishing Is So Very Fishy
A week doesn’t go by now that I don’t receive a fishy email. An email that appears to be from my email service or bank that carries an anxiety inducing message. Now that it’s tax time I even got an email that looked like it came from the IRS! These are all phishing scams.
Merriam-Webster’s definition of phishing: a scam by which an email user is duped into revealing personal or confidential information which the scammer can use illicitly.
A month ago I received a phone call from Switzerland. It was a student of mine. I don’t want to reveal his identity, so let’s call him Barnaby. Barnaby uses Yahoo as his web-based e-mail service. He went to the expense of making an international call to me because he could no longer access his e-mail account and suspected he knew why, but wanted my advice. It all started with an e-mail he opened that looked like it was from Yahoo much like the one below.
Geez. Looks serious doesn’t it? I know I don’t want to be “blacklisted” and I certainly don’t want me email account closed. Well, the real problem is that Yahoo did NOT send this e-mail.
This is a “phishing” e-mail. (You can see a couple more examples of phishing e-mails on p.255 in “Is This Thing On?”.) Much like fishing, with an “f” not “ph”, the person who sent the above e-mail is trolling to see if he (or she) can fool anyone to click on “Sign-in Verification.” If you click through, the next page asks you to type your screen name and password. Unfortunately once you’ve done that you haven’t verified your email account for security – you instead will have revealed your password to the scammer.
You may not be able to tell the difference between what you might normally fill out, when on a website, and a phishing scam – except for one very important detail…YOUR E-MAIL SERVICE OR BANK WILL NEVER ASK YOU TO CONFIRM YOUR PASSWORD IN AN E-MAIL OR THROUGH A LINK IN AN E-MAIL. Let me say that again. YOUR E-MAIL SERVICE OR BANK WILL NEVER ASK YOU TO CONFIRM YOUR PASSWORD IN AN E-MAIL OR THROUGH A LINK IN AN E-MAIL. So, no matter how familiar or scary an e-mail may look, DO NOT EVER CONFIRM YOUR PASSWORD IN AN E-MAIL OR THROUGH A LINK IN AN E-MAIL.
Unfortunately, Barnaby did just that. He typed in his e-mail address and his password. The next time he went to sign into his account he wasn’t able to access his e-mail. Within a few hours an e-mail was sent from Barnabys’s hijacked Yahoo account, written by the “phisher”, to everyone in the address book. The e-mail, appearing to come from Barnaby, stated that he, while traveling, had been robbed and was stranded without his wallet. It asked the recipient(s) to please send money using Western Union. Now I know you’re saying, “Who would fall for that?” Truth be told, many could. And each phishing e-mail is different – one more compelling that the other.
Your first line of defense is to NEVER CONFIRM YOUR PASSWORD IN AN E-MAIL OR THROUGH A LINK IN AN E-MAIL. (I promise I won’t say it again. You get the point.) If you discover that you’ve unwittingly succumbed to a phishing scam, here are some resources at your disposal:
The U.S. Computer Emergency Readiness Team: http://www.us-cert.gov/nav/report_phishing.html
Here are some hard to find phone numbers. As the e-mail services listed below are free, they have no obligation to offer tech support, but they should respond to your e-mail account being hijacked by a phisher.
Microsoft Hotmail: 800-642-7676
One last note and then on to more pleasant topics in the next post…You can imagine a phishing scammer’s glee when they discover that your e-mail password is the same as your bank PIN. Your bank password should be used exclusively for the bank and not for anything else. Click here for a printable guide to Choosing Safe and Memorable Passwords.
Be sure to visit Chapter 16, Practical Precautions – Secure your identity and your computer, in “Is This Thing On?”.
Other technology safety resources: