Let's talk a moment about the art of “phishing”, shall we? This ain't your daddy's fishing, no sir. Phishing is the term being used to describe theft of credit card information, username/passwords, and or identity information using a combination of email and bogus web sites.
Consider, if you will, the following email from what appears to be Citibank:
Oh crap! They are going to cancel your checking account unless you clicky the linky! So you do, and it takes you to something like this... Looks like a Citibank page, doesn't it? But is it really? Where did I *really* send you? Take a hard look at the address bar on your browser. When did Citibank start using bmonday(dot)com to validate checking accounts...? They didn't. I made that page by going to Citibank's web site, doing a Select All, and pasting the results into Word. Then I said “Save as web page” and boom! in 20 seconds I had a self-contained Citibank lookalike login screen on my own web site and I can do whatever I want with the data that gets submitted using it. Sure, I have to put a little bit of code behind it, but that will take me an extra 10 minutes maybe?
Phishing has used a similar tactic to gain access to eBay accounts, PayPal accounts, and a myriad of banking services.
Phishing is the common starting point of such crimes as identity theft, a crime which has increased 79% in the past year alone (link). Not to mention the outright theft of whatever money is in the accounts under the name of the victim.
Sadly, the FTC has made only 1 arrest in a crime involving phishing. Yep. One. And the poor kid was forced to repay $3500 of what he stole and had to promise never to send spam again. They made him promise! Well if that doesn't deter all those hackers out there, I don't know what will!
Once again, your online safety is in your own hands, folks. But luckily Uncle Beau is here to help (and I'm not even deputized!).
What can you do to protect yourself from phishing scams:
- Never trust anything sent to you in email, especially unsolicited
- Never click on a link in an email. If the link appears valid, cut and paste it from the email directly into the Address bar of your browser. HOWEVER, keep in mind that some links can appear to be valid, yet take you to a malicious site. For example on some browsers, http://www.citibank.com/login.htm@bmonday.com will NOT deliver you to Citibank's page, but instead to bmonday.com's version of the Citibank page. Certain browsers ignore everything before an “@“ in a URL.
- If you get an email claiming that your accounts will be canceled or something similar, CALL the bank instead of doing what the email instructs of you. Banks will never communicate such information via email (does your bank even HAVE your email address?).
- NEVER email personal information or passwords. Unless you take special precautions to encrypt your email, it flies through cyberspace in clear text. Which means ANYONE can read it.
- Before submitting any personal information on a web site, look for the little gold lock on the browser (normally along the bottom status bar) that indicates the site is using encryption. While this does not guarantee the security of the data after it reaches the site, it prevents anyone from reading it while it travels from your computer to theirs. Also, thanks to things like Chromeless Window vulnerabilities, it's possible for a clever hacker to paint a fake lock down in that portion of your browser to make it appear as though the site is secure.
- Monitor your credit card bills and bank statements for anomalies. Often the first few charges against a newly-hacked account are small, in order to verify the account is exposed.
Basically, never trust email, especially if it's something out of the blue. Remember, the Internet is full of people trying to separate you from your money. And they will go to unbelievably great lengths to do so. Remembering that is half the battle.