[Previous entry: "the coming patent war"] [Main Index] [Next entry: "Java security flaw"]

11/25/2004 Archived Entry: "More on "phishing" scams"

More on "phishing" scams. A resource I've just discovered is the Anti-Phishing Working Group, which also publishes descriptions of recent attacks, advice on how to avoid them, and advice on what to do if you fell for a scam. Also, the MailFrontier Phishing IQ Test is worth taking if you have broadband access for the many images. (I did rather poorly on the test because, in my impatience, I simply marked them all as "phishing." Some of them are legitimate promotions.)

The Washington Post just ran a good series of articles (Part 1, Part 2, Part 3) on phishing scams. They're not so much "how to detect phishing" articles as "here's what's happened to others" cautionary tales. But they describe the kinds of data you shouldn't give out, and a few new scams that I hadn't heard of.

For instance, some scammers are now setting up web pages that look like perfectly respectable e-shops, complete with privacy policies and secure shopping baskets, but advertising really remarkable deals on their products. Then they wait for bargain hunters to find their site and place an order, with their credit cards, of course. The goods never arrive, but the credit card info is spread far and wide.

For this reason, if I'm buying online from a stranger -- even a respectable-looking business -- I insist on paying by PayPal. Sure, a con artist can scam me for the price of one purchase, taking my money through PayPal and sending me nothing -- but he doesn't get my credit card data, he can't run up additonal charges, and he can't steal my identity. I'm glad to see that more online merchants are accepting PayPal. (Even better are purchases through eBay auctions and eBay merchants, where you can check a seller's reputation, and you may get "Buyer's Protection".)

Here are some other precautions we've taken.

1. We have a single credit card designated for all of our on-line shopping. This limits our risk, and simplifies our monthly scrutiny of our bills. And, if for any reason that card gets compromised, we can cancel it and still have a functioning credit card.

2. I use my "private" email address for all on-line accounts. Long time readers will recall that I have private and public email addresses; the public ones are the only ones that appear on web pages or newsgroups...so these are the ones that the scam-bots scoop up. When I get an email purporting to be from PayPal at one of my "public" addresses, I know instantly it's a scam.

3. I never use "mother's maiden name" as a "test question" when registering at a web site. Many sites allow you to provide a test question that they can ask, to establish your identity when you lose your password. Unfortunately this particular question is used by banks and credit card companies. So -- as you can see in the Washington Post articles -- phishers like to ask for this information if they can steer you to their web page. When I find a page that asks for this, I know it's a scam.

4. Except for eBay purchases (as noted above), I buy only from on-line merchants whose reputation I know from "off-line." I might buy on-line from Sears or Wal-Mart (although as I said, I'm becoming steadily more reluctant to use credit cards on-line). But I won't buy from "Ralph's Camera Mart" if I've only seen their web page.

5. I never, never, never click on an email's HTML link to go to a banking, credit card, or shopping site. Never.

Phishing attacks are on the rise...I think this will be the biggest email problem of the new year. Even though I'm training my Bayesian spam filter to recognize them, enough get through that only intelligent and suspicious reading can protect from their clever "social engineering" attacks. So read up and learn to spot them before it's too late.

brad