PHISHING No institution or vendor will ever contact you by e-mail regarding personal information or account information, except in response to something you have initiated. Assume that every unsolicited request is fraudulent.
This was written by long-time industry observer David Coursey for eWeek on May 6, 2005. Phishing is the most serious computer-related problem facing us in 2005. If you make a mistake, the consequences go far beyond a broken computer. Please be careful out there!
How to Protect Yourself from Phishing and Identity Theft Identity theft and fraud are perhaps the two most serious problems facing the Internet. Direct economic losses in the U.S. totaled over $574 million in 2004, according to the Federal Trade Commission. If not curbed, these crimes have the potential to make the Internet so untrustworthy that electronic commerce might slow considerably.
All the good things we've come to appreciate about the Internet are in danger of being taken away from us by international criminals. And technology is only a partial solution to protecting Internet users. The social engineering techniques that many of these attacks use may fool everyone but vigilant, educated users who are unwilling to fall for scams phishing for personal info. But the growing sophistication of identity theft scams demands a response from vendors, financial institutions and law enforcement agencies alike.
It can be a perplexing problem. As Microsoft's Jim Allchin told me recently at WinHEC about the phishing threat, "If someone wants to click on a link, can we stop them?"
Viruses, hackers and spyware can be fought with technology. But how can any program help someone who's decided to click on a link that appears to be a message from their bank—but really isn't?
While e-mail and Web sites can be authenticated to help deal with the phishing problem, wide adoption of that technology —or even a consensus on which authentication standards to use—has yet to be achieved. In the meantime, our best defense may be educating people (who are also protected by the latest anti-virus, anti-spyware, firewall and privacy protection software, of course).
I am writing this column for people who e-mail me for advice on how to deal with phishing and identity theft issues. Please feel free to forward it to anyone who might benefit. You are welcome to print it, quote from it, link to it—anything that will help get the word out. All I ask is a credit for eWEEK.com.
I recently spoke with John Norman, who works for a company called the Advanced Systems Group, a Denver-based systems integrator. He did an excellent presentation during an eSeminar I moderated last month that dealt with phishing and identity theft.
"Fraud and identity theft are not new," Norman told the virtual attendees. "But the Internet is making it accessible to more criminals." He cited Federal Trade Commission statistics showing that 635,000 complaints were received from victims of ID theft and fraud during 2004. The average consumer spends 28 hours resolving an identity theft case, the FTC said.
For the eSeminar, Norman prepared the following list of things users should do to prevent becoming a victim of online crime. I've added a few of my own items to Norman's list. Be wary of e-mail! Never click on any link to a bank, eBay or any other merchants. Instead, open a browser (not just a new window) and type in the URL yourself. When in doubt, call the institution using the number listed in the phone book, not one provided in the e-mail or link. Nobody needs to verify your passwords. Ever. Practice good computer hygiene. Don't click on attachments. Run both anti-virus and anti-spyware applications. Firewall and privacy protection software are also a good idea. Update this software, as well as your operating system, on a regular basis. If asked to call someone, use the listed telephone number and ask for that person's extension. Criminals often give scam telephone numbers to intended victims. Consider the single-use credit cards available from Visa, American Express and other institutions. Only provide personal information when you initiate the transaction and never when someone requests it, whether online or over the telephone. If a resident of Texas or California, consider a credit freeze. Order credit reports yearly and review them carefully. These are often available for free. Visit http://www.privacy.ca.gov for information. Watch credit card and bank statements for small withdrawals. These are sometimes used to take small amounts of money that customers don't consider to be worth reporting. But, 10 cents a month from 100,000 accounts really adds up. Encrypt it or shred it. Use a cross-cut shredder (makes confetti, not long strips which are too easily reassembled) or burn documents containing personal information. Do not store PINs on computer; lock them up or encrypt them. Don't provide or offer unnecessary information. Ask yourself, "Why do these people need my information?" Lying is OK. At least in some circumstances—for instance, questionnaires which sometimes require an answer. Make something up. A friend of mine has both a real birthday and a fake one that she usually gives out.
If you follow these tips, you will avoid many of the scams and traps that criminals create to gather personal information they then turn into cash. You will also help protect yourself against any accidental release of information, as well as unscrupulous marketers and other lower life forms.
In thinking about online crime, it's useful to remember the Internet's Cold War roots. Designed to survive a nuclear attack that took out portions of the network infrastructure, the Internet was not designed to prevent hacking and identity theft. When access to the Internet was limited, crime wasn't a problem. But when the network was opened to literally the entire world, it also took on the world's problems, including criminal activities that the network was ill-prepared to thwart.
Meanwhile, the criminals are becoming ever more sophisticated. And this is where no amount of user education may help.
In a worst-case scenario, criminals hijack the Internet's name servers or users' desktops and redirect users to faked sites when they type in correct Internet addresses for banks or other institutions. Such attacks could be difficult or impossible for victims to recognize and will require technological solutions, both at the Internet client and infrastructure level.
If this type of attack, which is undetectable until it's too late, were to become widespread, the potential damage to electronic commerce might mirror what the attacks of September 11 did to other parts of the world economy. This potential damage is what's driving the global search for Internet weaknesses that can be fixed before it's too late.
Here are some links you may find useful: There are many other security-related Web seminars on our site as well. Visit Ziff Davis eSeminars to sign up for the next eSeminar or view previous eSeminars.
I know most of us long ago understood how to deal with phishing, but there are still many people who take the bait. It's up to us to help them avoid becoming victims. By doing so, we protect the Internet as a vehicle for electronic commerce. |
