Phishing in Restricted Waters
Don’t “bite” when you receive fraudulent e-mails—the bait may not be what it seems.

By Burton Kelso

Phishing is a technique in which fraudulent e-mail messages that appear to come from legitimate businesses are used to gain personal information.
The term was coined in the mid-90s by hackers attempting to steal America Online accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password to verify an account or to confirm billing information. Once the victim provided the password, the attacker could access the account and use it for criminal purposes, such as spamming.

Today, online criminals put phishing to more directly profitable uses. They send out authentic-looking messages that are designed to fool recipients into divulging personal data, such as account numbers and passwords, credit card numbers and Social Security numbers. The phishers send out millions of e-mails in the hopes that a few people will “bite” (thus the reference to fishing). It has been reported that as many as 5 percent of recipients respond to phishing attempts. The most common companies that are spoofed in the current phishing scams include Amazon, Bank One, Citibank, EarthLink, eBay, Wells Fargo and PayPal, but more will come.

The most recent Wells Fargo look-alike phishing scam asks users to review recent policy changes, but requires the user to log in to their account to get to the message center. Once you have typed the username and access code, you’ve been had.

Any reply to the message to ask them to stop is completely futile, since the address you are replying to is generally fake.

Vulnerabilities
The main reason that phishing scams are on the increase is because of a vulnerability that was discovered in Microsoft’s Internet Explorer browser that allows a malicious user to send an e-mail with a link that “spoofs” a legitimate site.

This means that a link that looks like it would take you to www.bankname.com, for example, would actually take you to www.HackerWebsite.com/%0StealYourInfo, but Internet Explorer would report to you that you were at www.bankname.com.

The site would replicate the look of the actual bank Web site, complete with indicators that you were on a secure Web site (https:// and the little yellow lock on the bottom right corner), to entice you to give up your personal information.

Don’t Take the Bait
Anything that asks you to update or confirm your Social Security number (When was the last time your SSN changed?) or any other personal information, especially when it comes in the form of an e-mail, should instantly set off warning bells in your head.

E-mail has always been a fairly questionable source for information, but now it has become downright untrustworthy. Corporate logos, links to Web sites and references to government or corporate security agencies can all be spoofed in an attempt to get you to give up personal information that can be used to victimize you.

Protect yourself from phishing scams by making sure you have updated Windows and Internet Explorer with the latest security patches. You can find these by visiting http://windowsupdate.microsoft.com (no “www” at the beginning).

Whenever an e-mail message is suspicious, do not click on any of the links in the message. Instead, manually type the link into your browser’s address bar so you can control where you actually go. If the site does not have any reference to the information contained in the e-mail, it was likely a phishing scam.

Look for misspellings and bad grammar. While an occasional typo can slip by any organization, more than one is a tip-off to beware.
Finally, when in doubt, call or manually send a new e-mail to the company for clarification, but never reply to the e-mail message.
If you feel you have been a victim of a phishing scam, contact your financial institution immediately to get your account access code changed.

Burton Kelso is owner of Integral Computer Consultants, a Kansas City-based computer service company specializing in the on-site repair and networking of home-based and small business computers. He can be reached at (816) 942-0672 or by e-mail at .