A Post from Abby's Blog
Phishing Is So Very Fishy
In my last post I promised to continue on with more social networking websites (Facebook, My Space, LinkedIn, etc.), but a phishing scam almost netted a second student of mine and I want take the time to explain how you can defend yourself.
The moral of the story that follows may be the most important piece of advice I ever offer you. If you take the information to heart, you may avoid the loss of access to your e-mail account, not jeapordize the privacy of your saved e-mails, and you'll potentially thwart a false request for money seemingly FROM YOU to all those stored in your e-mail address book. So, please, carefully read on and take heed.
A month ago I received a phone call from Switzerland. It was a student of mine. I don't want to reveal his identity, so let's call him Barnaby. Barnaby uses Hotmail as his web-based e-mail service. He went to the expense of making an international call to me because he could no longer access his e-mail account and suspected he knew why, but wanted my advice. It all started with an e-mail he opened that looked like it was from Hotmail, much like the one seen below that appears to be from AOL (received by a different student of mine this week).
Geez. Looks serious doesn't it? And, if AOL were my e-mail service, I certainly would want to take "urgent and immediate action" to "fix the problem." Well, the real problem is that AOL did NOT send this e-mail. As Hotmail did not send the e-mail that Barnaby received and responded to.
Both are "phishing" e-mails. (For an example of a bank phishing e-mail, visit p.224 in "Is This Thing On?") Much like fishing, with an "f" not "ph", the person who sent the above e-mail is trolling to see if he (or she) can fool anyone to click on "Click here to follow to the nextpage." If you click through, the next page will ask you to type your screen name and password. It's all very tricky because the form asking for the screen name and password, as seen below, looks exactly like the AOL sign in window.
You may not be able to tell the difference between what you might normally fill out, when on a website, and a phishing scam - except for one very important detail...YOUR E-MAIL SERVICE OR BANK WILL NEVER ASK YOU TO CONFIRM YOUR PASSWORD IN AN E-MAIL OR THROUGH A LINK IN AN E-MAIL. Let me say that again. YOUR E-MAIL SERVICE OR BANK WILL NEVER ASK YOU TO CONFIRM YOUR PASSWORD IN AN E-MAIL OR THROUGH A LINK IN AN E-MAIL. So, no matter how familiar an e-mail may look, DO NOT EVER CONFIRM YOUR PASSWORD IN AN E-MAIL OR THROUGH A LINK IN AN E-MAIL.
Unfortunately, Barnaby did just that. He typed in his e-mail address and his password. The next time he went to sign into his account he wasn't able to access his e-mail. Within a few hours an e-mail was sent from Barnabys's hijacked Hotmail account, written by the "phisher", to everyone in the address book. The e-mail, appearing to come from Barnaby, stated that he, while traveling, had been robbed and was stranded without his wallet. It asked the recipient(s) to please send money using Western Union. Now I know you're saying, "Who would fall for that?" Truth be told, many could. And each phishing e-mail is different - one more compelling that the other.
Your first line of defense is to NEVER CONFIRM YOUR PASSWORD IN AN E-MAIL OR THROUGH A LINK IN AN E-MAIL. (I promise I won't say it again. You get the point.) If you discover that you've unwittingly succumbed to a phishing scam, here are some resources at your disposal:
The U.S. Computer Emergency Readiness Team: http://www.us-cert.gov/nav/report_phishing.html
Here are some hard to find phone numbers. As the e-mail services listed below are free, they have no obligation to offer tech support, but they should respond to your e-mail account being hijacked by a phisher.
AOL (Screen Name/Password): 888-265-8004
Yahoo: 866-562-7219 or 866-458-8744
Microsoft Hotmail: 800-936-5700 or 800-426-9400
One last note and then on to more pleasant topics in the next post...You can imagine a phishing scammer's glee when they discover that your e-mail password is the same as your bank PIN. Your bank password should be used exclusively for the bank and not for anything else. (Review the basics of choosing a password on p.220 in "Is This Thing On?".)
P.S. To AOL's credit, if you receive the e-mail above now ,and click through, the next page is a warning that it's a phishing e-mail. Speedy response to shutting down these scam e-mails is everything.
Get Blog Updates
You can receive an email whenever there's a new post on Abby's blog. Just enter your email below.
If you're already set-up with a news or feed reader, click this link to subscribe to updates: