Criminals are using emails to lure victims onto fake Web sites. At these sites, the victims willingly enter their own credit card numbers, bank account numbers, and other important information. This is called "phishing."
You probably think you'll never fall for such a trick. But these crooks are good. Spoofed email addresses and Web sites that look identical to financial institutions, Internet service providers, and other businesses are being used. Recent phishing emails appear as if they came from well-known companies such as America Online, Citibank and eBay, replete with official logos, verbiage and links.
The government, police and banks are working together to combat this problem. But it's difficult to catch the crooks; many are overseas. The spoofed Web sites are active for a short time, then they disappear.
Until this problem is eradicated, here are four steps to protect against the theft of your own personal information and your company's valuable business data.
1. Understand how phishing works.
The best way to defeat phishers is to understand their tricks. For example, I recently received an email that appeared to come straight from eBay. It read:
"Dear eBay Customer, "This email is a reminder that your eBay account information suspended. To avoid any interruption to your service including the ability to log onto your eBay account, please update your credit or debit card information by clicking here and submitting our form. "If you do not update your credit or debit card information you may no longer be able to use eBay and associated services."
The email certainly looked authentic. It had the eBay logo, and the email appeared to come from support\[at\]ebay.com. But on closer examination of the wording, you'll notice that the verb is missing in the phrase "account information suspended." In addition, the person who wrote the email apparently was unfamiliar with commas.
The word "here" in the second sentence supposedly links to eBay's Web site. But when you click on it, you're taken to a lengthy "account.ebay.com" address in South Korea (since shut down).
The beginning of the URL, with "account.ebay.com" in it, makes you think that you're at an eBay site. However, the real Web address changes with the words, numbers, percent signs and gobbledygook after the "@" sign.
The longer the link, the harder it is to tell if it's legitimate. Some phishers use extremely long URLs that would fill up five or six rows in this column. Fortunately, there's software to help you figure out where a link leads before it's too late.
My URL Discombobulator (karenware.com) is a free program that takes very long URLs and displays the Internet Protocol (IP) address. It boiled down the URL in the spoofed email from eBay to a pair of IP addresses. It also let me know that this Web site was located in South Korea.
SpoofStick (corestreet.com) is a free toolbar that runs in Internet Explorer. It tells you the domain name of the site you are visiting. So you'll know if you're really on eBay's site or a spoofed one.
2. Lock down your HOSTS file in Windows. A recent phishing scam in Brazil caused Web browsers to land on criminal sites that looked identical to well-known bank sites. The phishers used HTML emails encoded with malicious Trojan horse programs. If the security settings on a recipient's computer were too low, just opening the email would make changes to an essential Windows component.
Thereafter, any time victims typed certain banks' Web address into their browsers, they were directed to the crooks' sites. User names, passwords, bank accounts and, ultimately, money, were taken this way. It's only a matter of time before this type of scheme migrates to the United States.
The Windows component involved here is the HOSTS file. The HOSTS file acts like an address book. When you type in an address such as www.komando.com, the browser consults the HOSTS file for the corresponding IP address (a set of numbers). If the IP address is listed in the HOSTS file, your browser will go directly there. If not, your computer will ask a server on the Internet for the correct IP address.
The Trojan program used by the crooks in Brazil entered the banks' addresses in the victims' HOSTS files, along with an IP number belonging to the crooks. When people tried to go to their banks, the HOSTS file instead sent them to the crooks' computer. However, good guys can play this game, too! You can set up your HOSTS file to prevent malicious software, also known as "malware," from communicating outside your computer. It's like the old Roach Motel commercial: Malware can check in, but it can't check out.
Most malware servers are known. So all you have to do is enter the domain name for the known offenders and your computer's address (127.0.0.1). All attempts to contact the malware's servers on the Internet will lead back to your computer and eventually stop completely.
There's a huge list of offenders, so entering them all by hand would take a long time. Fortunately, you don't have to. There are custom HOSTS files on the Internet. You can find one with installation instructions at this URL: http://www.mvps.org/winhelp2002/hosts.htm. That HOSTS file is updated every couple of weeks.
3. Use Outlook 2003 to filter it out. One of the best ways to avoid being scammed is to filter out phishing emails. Even the best-worded and designed emails can be caught with spam filters. You'll find plenty of spam-filtering software on the market, but save your cash.
The built-in Junk E-mail folder in Outlook 2003 does a good job of weeding out spam. The default level is set to low. This is fine if you don't receive much spam. But if you receive a lot of spam, you might want to bump it up. To change the filtering levels, click Actions > Junk E-mail > Junk E-mail Options.
Know that legitimate emails can get caught too. I always give the messages in the Junk E-mail folder a quick look before deleting them. If you find a legitimate email in the folder, right-click on the message and click Junk E-mail > Add Sender to Safe Senders List. Messages from this sender will no longer be sent to the Junk E-mail folder.
It takes some tweaking to get the settings just right but eventually you'll come up with a smooth-running system. Microsoft updates the Junk E-mail filters, so periodically check Office Update for new ones. To do that in any Office application, click Help > Check for Updates. Then click on the Check for Updates link.
To help protect you from malicious scripts that phishers employ, Outlook 2003's security zone is set to Restricted Site by default. This setting disables most scripts and ActiveX controls. To check your settings, click Tools > Options. Click the Security tab. Under Security Zones, the drop-down box should read Restricted sites. If not, change it and click Apply.
4. Apply some common sense. Even the best spam filters and anti-phishing techniques can't replace common sense. When you receive an email from a business, examine it critically. Why was it sent? Have you purchased anything recently? Why is the name of the organization misspelled? Many phishing e-mails come from overseas, and often have misspellings and bad grammar.
Never disclose sensitive information in response to an email. Your bank, eBay or any other legitimate organization will not make this request. Such a request is almost certainly from criminals.
And when you do receive fraudulent email, immediately forward it to the Federal Trade Commission at spam\[at\]uce.gov. The sooner authorities know about scams, the better chance they have of capturing the players.
