How to Avoid Phishing Scams

How to Avoid Phishing Scams

That's phishing as in strange, bogus e-mail messages. We've all seen them, we get some e-mail message from a bank we've never done business with, maybe from eBay or PayPal or some financial institution and with a dire warning, it says something to the effect of "Your account may have been compromised" or maybe "Someone tried unauthorized access" or maybe even "We seem to have lost your ID and password" and "Please, in the next 24 hours, you must log in and verify your information, and if you don't, your account may be suspended". And conveniently, there is a link for you to click so can and give them the information they want.

Phishing seems to be replacing spam as the e-mail scourge of the Internet. I'd like to tell you how to recognize these sorts of scams and up what to do or what not to do when you receive them. First of all, about 99.9% of messages like these are scams and you can safely delete them. Especially messages that look like they came from a bank where you've never even had an account. I often get these messages with return addresses pointing to banks with which I've never done business and having notices like "Please log in and in and confirm your accounts". These are obviously nonsense.

But what about a message that looks like it came from a bank where you have made deposits? These scammers' goal is identity theft, and they want still your identity so that they can steal your money or steal other people's money and make it look as though you're the one who's done it. Is it any coincidence at all that the banks that seems to be the most common that are sending these out or that or her being spoofed are the large banks? Such as Bank of America, Citibank, and so on, because they have the most depositors, the biggest target area.

But here are a few things that you should recognize when you get some of these. Number one: the Web address. You should know what the address is of any bank where you do business. If you buy and sell on eBay, if you use PayPal to send or receive money, you should know what the address is. For example, PayPal's legitimate address is www.paypal.com. If you see anything that says something like BillingPayPal.com or SignInPayPal.com or anything like that, you know that it's a scam. Also, you should look for the first part of the address, especially if it's a bank. The first part of the address shouldn't simply be http:// it should be https:// -- that S stands for security. That's not something that you can fake.

When you get a link to click in an e-mail like that, just do not click it. Any legitimate bank knows what it's doing and will not have any links in their e-mails for you to click. I will get once a month a notice for my bank that says my statement is available for viewing online, but they just tell me to go to their Web site -- that means that I can either type the address in manually in the browser's address bar or I could click it in my favorites list. Many banks will tell you that if you receive a message that looks like it's from them and it has a link, that means it's a spoof.

Now here's the scary part. Even if you manually type the address of some financial institution, it could still be fake! The way the spammers do it is they can plant a Trojan horse on your machine that actually redirects what Web address goes to what server. There is a system called DNS --Domain Name Service. It allows friendly names like www.eBay.com to connect to the actual server address, which is really just a string of numbers. But nobody wants to remember long strings of numbers, so DNS is there so you don't have to think about them. It's kind of like an automatic dialer on a telephone.

If a Trojan that changes the DNS addresses gets planted on your machine, when you type in what is a real address, you can be redirected to the server of one of these criminals. It's not even so much that you type it in, but they're expecting that you'll click on their link. For Windows users, there's a file on your system in your Windows folder called Hosts (no file extension). You might want to look at this file in your Windows folder and if you see it's been modified recently. It's a text file, so you can open it in Notepad (select Start/Run, or press + R, type notepad, then press Enter) to see if anything funny is in there, redirecting the address of a bank to an IP address. If you see that, just delete that line from the file. By the way, any of the lines in that Hosts file that begin with a # are comments and you don't have to worry about them.

So when you go to the Web site of a financial institution, how do you know if it's real or not? One thing you should immediately look for in the lower right corner of your browser -- Firefox or Internet Explorer or any other -- is a little padlock icon, and it should be in the locked position. And this is something that cannot be faked. That icon should be on the status bar; if it's on the Web page itself, it's meaningless. Anybody with a basic knowledge of creating Web pages can put all sorts of padlocks and security-looking graphics on a site, but in the status bar of the browser, it's another story.

And here's one other problem with links in an e-mail. It's very easy to type the name of a financial institution and link it to something else for example, the text could say www.citicorp.com but when you click it, it goes to some scammer's Web site. (Here's an example of a bogus link that goes to our own site: www.WrongAddress.com.) So you always want to make sure of what you're looking at in the address bar of your browser. Also look at the end of the address bar of the browser. There'll be little padlock icon, just like on the status bar, and that's something that a scammer cannot forge.

Also look at the content of the message. If the message says something like "Dear depositor" or "Dear valued customer" rather than your name, that's probably a giveaway that it's not authentic.

Also look at the quality of the writing. A lot of these scams come from overseas, where the authors do not speak English as their native language. There are often spelling errors and grammatical errors. You might think, "Hey, I'm not the best speller in the world and I make grammar mistakes all the time." But banks that send e-mails to their customers don't send from just some guy or gal sitting at their desk, sending out messages to 10 million depositors from their personal Outlook account. Banks have people whose full-time jobs it is to read and write and edit these messages, and they will catch spelling and grammar mistakes before the e-mails go out. What amazes me is that the scammers don't even think to press F7 to do a spell check -- if English is not their native language, why would they not use a spell checker? I saw one the other day that looked almost real. It was supposedly from my bank, but they had the word "useful" spelled with two ll's, so I knew it wasn't real.

Also consider what they're saying and how they're saying it. If it's a breathless message with a false sense of urgency, you know they're trying to get you to click that link and type in your information before you have a chance to hit the Delete key. A real bank will not give you that sort of breathless warning, like you might get from some of these bogus virus warning messages.

Some of the scammers have found that they can use a publicly available databases like Yahoo or Google, where they actually can find your address, and I've gotten some that refer to me by name, and even have my home address. At first I wondered how these guys know who I am by address, and then I realized they all it takes is a simple Web search. So even if it doesn't say "Dear customer" or "Dear depositor", even for those referred to by name or by address, it still is very possibly a scam.

Some thieves will tell you that there's been some change on your account and they want to verify it. It is possible that you recently changed your password or maybe you did buy or sell something on eBay or you did something else online. Maybe you used your credit card number, and it just so happens that you get an e-mail about that particular bank or credit card and you want to see if the thing is legitimate. Maybe you don't even consider that it's a scam, because you've done something recently. Beside the fact that you still should not click a link like that in an e-mail, when you're on the site, look at what information they are asking for.

A regular bank will simply ask for user ID and password, but some of these will ask all sorts of information -- not only ID and password, but your mother's maiden name, your Social Security number or your bank routing number. Any page that asks you for information like that, you know is not legitimate. Especially if you get a page that asks for all this type of information at once you know is not real.

Keep in mind that when you get one of these messages that says, "Sorry, but we lost your information..." banks do not lose your information. You and I may have lost information here and there, but we're just regular people doing other things. Banks have full-time professional security people whose job it is to make sure that customer information is not lost, and if anything is accidentally deleted, they have backups, and backups of backups at secure data centers and sitting under a mountain somewhere (maybe here). So your bank will never tell you "Sorry we lost your ID and password". That simply isn't going to happen.

Because phishing attacks are becoming so common and increasing so much, some technical help is on the way. Internet Explorer 7.0, which is due out soon, will have some anti-phishing features, such as a little, green light on pages that are safe. Firefox, made by the Mozilla foundation, will also have some security features in future versions. Microsoft Outlook, Safari and Entourage on the Mac, will also have some features that will help. For example, links in e-mail messages are disabled by default, though this is a little silly, because that defeats a large purpose of the Internet. Though the average person doesn't e-mail links to credit card sites and banks. But even when these features are available and active, they are there to help you -- don't rely on them as crutches.

So beware and be vigilant and understand what it is that you're receiving by e-mail, and to assume that just because an e-mail looks like it comes from a trusted source or financial organization, doesn't mean that it really is. It's very easy to spoof the From field or the Reply To field in an e-mail message. Anybody with the most simple knowledge of e-mail software like Outlook could make that spoof. So have fun, be safe and we'll see ya' next time.