My Computer Mechanic - Resources: Let’s Go Phishing during an Economic Slowdown!!

Let's Go Phishing During an Economic Slowdown!

The U.S. Federal Trade Commission has warned us that they are seeing a rapid increase in the number of “phishing” scams related to the recent economic crisis. Last month I wrote about briefly about “phishing” scams, but this month I want to get into more detailed explanation to make sure you understand this increasing threat.

Criminals are taking advantage of the confusion over recent bank mergers in the United States to send out fake e-mail messages in an attempt to steal your personal information. You've probably heard of phishing scams: fraudulent e-mail messages or fake Websites designed to steal your identity. Scam artists "phish" in an attempt to persuade people to disclose sensitive information.

According to the U.S. Federal Trade Commission, new bank merger scams might say something like this:

“We recently purchased ABC Bank. Due to concerns for the safety and integrity of our new online banking customers, we have issued this warning message... Please follow the link below to renew your account information.”

Or this:

“During our acquisition of XYZ Savings & Loan, we experienced a data breach. We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below to confirm your identity.”

If you click these links, you might be taken to a fake Website designed for the purpose of identity theft. In my experience, there are signs that these e-mail messages are fraudulent.

However, these on-line predators are not going to use only one method of attack in their “phishing” scams. So I want to acquaint you with phishing scams in general because of their increasing number in this time of economic slowdown.

What is a phishing scam?

Phishing is a type of deception designed to steal your valuable personal data, such as credit card numbers, other account data and passwords, or other information.

You might see a phishing scam:

In e-mail messages, even if they appear to be from a coworker or someone you know.
On your social networking Web site.
On a fake Web site that accepts donations for charity.
On Websites that spoof your familiar sites using slightly different Web addresses, hoping you won't notice.
In your instant message program.
On your cell phone or other mobile device.

Often phishing scams rely on placing links in e-mail messages, on Websites, or in instant messages that seem to come from a service that you trust.

What does a phishing scam look like?

Phishing e-mail messages take a number of forms.

Phishing mail often includes official-looking logos and other identifying information taken directly from legitimate Websites, and it may include convincing details about your personal information that scammers found on your social networking pages.

The main thing phishing e-mail messages have in common is that they ask for personal data, or direct you to Websites or phone numbers to call where they ask you to provide personal data.

The following is an example of what a phishing scam in an e-mail message might look like.

To make these phishing e-mail messages look even more legitimate, the scam artists may place a link in them that appears to go to the legitimate Website (1), but actually takes you to a phony scam site (2) or possibly a pop-up window that looks exactly like the official site.

Here are a few phrases to look for if you think an e-mail message is a phishing scam.

"Verify your account."
Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail message from anyone asking you to update your credit card information, do not respond: this is a phishing scam.

"You have won the lottery."
The lottery scam is a common phishing scam known as advanced fee fraud. One of the most common forms of advanced fee fraud is a message that claims that you have won a large sum of money, or that a person will pay you a large sum of money for little or no work on your part. The lottery scam often includes references to big companies.

"If you don't respond within 48 hours, your account will be closed."
These messages convey a sense of urgency so that you'll respond immediately without thinking. A phishing e-mail message might even claim that your response is required because your account might have been compromised.

What does a phishing Website or link look like?

Fake websites are also called spoofed websites. They are designed to look like the legitimate website, sometimes using graphics or fonts from the legitimate website. They might even have a web address that's very similar to the legitimate site you are used to visiting. Once you're at one of these spoofed sites, you might unwittingly send personal information to the con artists. If you enter your login name, password, or other sensitive information, a criminal could use it to steal your identity.

Here is an example of the kind of phrase you might see in an e-mail message that directs you to a phishing website:

"Click the link below to gain access to your account."

HTML-formatted messages can contain links or forms that you can fill out just as you’d fill out a form on a Website. Phishing links that you are urged to click in e-mail messages, on websites, or even in instant messages may contain all or part of a real company’s name and are usually masked, meaning that the link you see does not take you to that address but somewhere different, usually an illegitimate website.

Notice in the following example that resting (but not clicking) the mouse pointer on the link reveals the real Web address, as shown in the box. The string of numbers looks nothing like the company's Web address, which is a suspicious sign.

Con artists also use Web addresses that resemble the name of a well-known company but are slightly altered by adding, omitting, or transposing letters. For example, the address "www.microsoft.com" could appear instead as:

www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com

How can I protect myself from phishing scams?

Keep your operating system up to date, and install up-to-date antivirus and antispyware software.

Your first level of defense against phishing scams and other malicious humans or software is to secure your computer. Some phishing e-mail contains malicious or unwanted software that can track your activities or simply slow your computer. We highly recommend using AVG Internet Security 8.0 – Free Edition. It is available for download on our website.

Learning how to spot social engineering techniques is the next step in protecting your computer, and Windows XP and Vista makes that easier to do:

Internet Explorer 7 has a Phishing Filter built in that scans Websites and alerts users to phishing sites.
Windows Vista Parental Controls offer parental controls for children to help prevent kids from downloading unwanted software.
Windows Defender helps you avoid spyware and other malicious software that can be part of a social engineering scam. Windows Defender comes with Windows Vista. If you use Windows XP SP2, you can download Windows Defender for no charge.
User Account Control built into Windows Vista requires your consent before allowing potentially dangerous programs to run. This helps reduce the impact of viruses, spyware, and other threats you might encounter through social engineering.

Internet Explorer 7 and the Microsoft Phishing Filter

Even if you don't use Windows Vista, you should use Internet Explorer 7, which includes the Microsoft Phishing Filter to help protect you from Web fraud and the risks of personal data theft by warning or blocking you from reported phishing Websites. With Internet Explorer 7 you get another layer of protection when you visit sites that use Extended Validation (EV) SSL Certificates. The Internet Explorer address bar turns green to alert you that there is more information available about Websites. The identity of the Website owner is also displayed on the address bar.

An EV SSL certificate not only helps ensure that the communication with a Website is secure, but the certificate also includes information about the owner of the website, which has been identified by the Certification Authority (CA) issuing the SSL Certificate.