At work we had a fun couple of days monitoring the latest variant of the Sober worm that sent us a pretty large batch of infected messages (we blocked about 5000 yesterday alone), which came right on the heels of weeks and weeks of very annoying malicious spam of another kind. It's something that has grown very fast lately, affects pretty much everyone (probably both at work and at home), and even high-tech software and IT magic can't always block it. I'm sure you have even seen reports about it on evening news shows - it's always a bad thing when a computer problem reaches TV news (because it has become so common these days). Yes, I am talking about phishing. And really, who came up with that spelling anyway? Anyway, I figured I'd take a moment for a repetitive but needed basic primer on spoofed e-mails. Many folks are probably familiar with the problem already, but some of the links at the end are pretty neat, especially the phishing IQ quiz. So if you don't want to slog through a refresher course, just skip to the end.
Phishing is an electronic attack that combines social engineering with some technical aspects of software programs in order to trick you into giving up some personal information. Even with up-to-date virus scanners checking your computer and your e-mail, phishing attacks usually get through, because in and of themselves they aren't harmful. That's where you come in. Let's look at a typical phishing scenario.
I'm sitting in my office, working away, when all of a sudden I get a new e-mail. Since I have local anti-virus scanning on my computer and the mail server is scanning my messages, I regard the new message as safe, since no warning messages are popping up. It doesn't even have any suspicious attachments. And it doesn't look like spam either - no offers for l0wer m0rtg.age ra-tes or personal enhancement products.
It's a worrying message from PayPal saying that my billing records need to be updated, otherwise my account will be suspended. It sounds very urgent. PayPal - now owned by eBay - is sort of an online banking service that lets people transfer money back and forth, and is frequently used by eBay customers. I actually do have a PayPal account, so this seems very real, and spurs me to action. I click on the highlighted link, which opens my browser to a site that looks just like PayPal. It prompts me for all sorts of personal information - back account numbers, social security numbers, you name it - so I fill it out and breathe a sigh of relief that my account won't be terminated now. A few days later my identity is stolen, sold, passed around on the Internet, and somebody opens a few accounts in my name and applies for a mortgage.
This is exactly what you should NOT do!
Let's look at that e-mail message a little more closely (in case you are wondering, this is a real one that I dug out of my trash):
It looks very authentic. At the top, it claims to come from a "PayPal" address. Of course, whether such an address actually exists is another matter, but it seems legitimate. The graphics are all there, consistent with the real PayPal site. (Actually, if you use Outlook 2003, be default the graphics wouldn't show, and you would have to explicitly right-click and display them.) Ironically, there is even a section about protecting your privacy, which sounds real and appropriate. All of it is designed to make things look legitimate at first glance, instill a false sense of security, and rush you into clicking on a link.
However, if you start to look closer, you may notice a few odd things. First of all, the title is misspelled. It shouldn't be "You're", but rather "Your". That's a tiny thing, but you can be sure a company like PayPal has people check the spelling of anything they send out. In fact, many spoofed phishing messages have poor spelling or grammar in a couple of places, so that's one thing to watch out for.
If you hover your mouse over the links (don't click, just move the pointer over them), you will see a pop-up that shows the real address you would go to if you clicked the link. It may say one thing in the e-mail, but even a link that looks like a URL (an Internet address) could really be pointing somewhere else. That's why you should always check links in any message you receive, no matter how legitimate it looks. In fact, you can do the same in your browser - if you hover your pointer over a link, the address should display at the bottom of the browser window, in the status bar. If it doesn't look like something you would expect, don't click it.
In our example, the bottom link definitely looks suspicious, because the domain isn't even close to paypal.com. However, the top one is "sort" of right, just with an extra character. It's fake as well. The real domain is paypal.com, without any extra characters. Normally, if you do business with the company, and you have been to their web site, you would know what the real address looks like. Here is another example:
It doesn't have graphics, and seems "less real" (or even "less fake" to some people), but both links would redirect you to another site in this case as well. If you notice, the real links go to an Internet address specified in numeric (IP) form rather than a domain name. As a rule of thumb, no legitimate company would point you to a site with such an address, so that's yet another warning sign.
If you are unsure about a link in a message, especially one that asks you to go to a site that you think you visit often (even more so one that came from any sort of company that deals with money or personal information like social security numbers), be safe rather than sorry. Ignore the message. If you do business with the company and are concerned about your account, do one of two things:
- Open your browser and manually type in the address. If you have a bookmark, use it.
- Call the company over the phone to make sure your account is safe.
Many companies that are targets of spoofed e-mails have put up advisories and guides about protecting yourself from such fake messages. PayPal's guide is a great example, and covers a lot of the common things to watch out for when looking at a suspicious message. Definitely worth a read. Generally, no legitimate company will ever ask you in an e-mail to provide personal information, follow links to verify your account, or threaten to quickly close an account unless you reply or do something.
Sometimes it's easy to disregard such messages simply because they come from a company that you don't do business with anyway. In recent months I've seen them from real companies like Regions Bank, Washington Mutual, Key Bank, Huntington Bank, just to name a few. If you have never been involved with them, simply delete the messages without even looking at it.
Remember that successful phishing requires you to not think and blindly follow some directions in an e-mail message or on a web site. So just take your time, don't rush to click on links, carefully read all the text, determine how (un)comfortable you are with it, and only then act. It may take a few more minutes to deal with an e-mail, but you will be spared living the horror stories of people who had their identities stolen and later had to spend a lot of time and money to get everything straightened out.
If you want some further reading about phishing, here are some good sites to get you started:
There are, of course, many more sites dealing with the problem, but these will give you a pretty good overview and suggest steps to protect yourself. Remember, think before clicking and stay safe out there!