I got an e-mail from Bank One the other day asking me to resubmit my user name and password for security reasons. My account, it seems, could be canceled if I didn’t do this.
This struck me as odd for a couple of different reasons: 1) I don’t have an account at Bank One, and 2) Even if I did, I’d like to believe that my account couldn’t be wiped out Great Depression-style in these more enlightened days of FDIC.
A couple of days later, I got not one but three different e-mails from eBay. “If the account information is not updated to current information within 5 days,” I was warned, “your access to bid or buy on eBay will be restricted.” Hmmm. eBay’s running a pretty slipshod shop if they constantly need to verify things like this, no?
Both of these e-mails (which, by the way, looked completely authentic, with logos and legitimate-looking hyperlinks) are examples of phishing. “Phishing,” which is pronounced “fishing” but uses the “ph” because it looks more cyberpunk, is a form of Internet fraud designed to get personal information (bank account numbers, Social Security numbers, credit card numbers, user names and passwords, etc.).
Also called “spoofing,” the e-mails look completely legitimate, but the links in the message don’t match where they say they’re going. For instance, the above eBay message had a link that said it would go to “://www.ebay.com/ accounts,” when in reality it goes to “://22.214.171.124/~web/ebay,” which isn’t an eBay site at all, but is actually in Milton, Queensland, Australia. (If you’re technically minded, you can look at the source code of any html mailing and see for yourself where it’s actually going.)
The Anti-Phishing Working Group (APWG), located at www.antiphishing.org
, is an industry association that monitors and fights this kind of fraud. According to the APWG, about 5 percent of recipients respond to these ploys, which accounts for a lot of identity theft.
The APWG also maintains an archive of examples of phishing attacks submitted by users. Bank One, eBay, Citibank, Paypal, Earthlink and many others are typical fronts that phishers use. The subject lines in the e-mails are usually along the lines of “Confirm your account information,” “Billing Error,” “Your account will be suspended” and the like. (One of the newer ones has America Online saying “Notice: Your account will be suspended!,” which might not be such a bad thing, what with AOL being evil and all.)
The Federal Trade Commission has offered tips on avoiding this type of scam in “How Not to Get Hooked by a ‘Phishing’ Scam” (search for “phishing” at www.ftc.gov
). Sure, it’s the obvious pun, but it’s still got some good information, such as:
• Don’t give personal or financial information out just because you get an e-mail. Legitimate companies don’t ask for such things. Think about it: Do you really think your Visa bill would disappear just because of a computer glitch? They make backups for that kind of thing.
• Review your credit card and bank statements as soon as you get them. You’re the best person to know if you’ve been to the Bahamas lately or have bought a huge amount of stuff at Victoria’s Secret.
• Be careful when you get e-mail attachments — even if you know the person who sent it, they might have been scammed, too.
• Keep your anti-virus and adware software up to date. These can keep you from getting some phishing messages in the first place and minimize the damage should your respond (which, as said before, is something you really shouldn’t do).
• Report suspicious activity to the FTC. You pay your taxes, so you might as well use the government for something.
OK, so you’re savvy and would never fall for a scam like this, right? You can test your phishing IQ at survey.mailfrontier.com/survey/quiztest.html. The test gives you 10 actual e-mails received by people and asks you the question: “If you received one of these e-mails in your inbox — what would you do?”
It’s trickier than it looks. I scored a nine out of 10, and that was after doing all the research above.
I’d like to think I’m optimistic, glass-is-half-full kind of guy. Just because I don’t trust people thanks to things like this isn’t a moral failing — I’m afraid it’s necessary to be suspicious. It’s not paranoia if they’re really out to get you.
Contact the writer at firstname.lastname@example.org