"Two years from now, spam will be solved.” Bill Gates, Jan, 2004. For network-based spam-fighting at the enterprise level, check out TurnTide anti-spam router 10
things companies should do about
spam |
What is Phishing? Have you ever received an email about problems with an account at a bank or other institution, but you don't actually have an account at that institution? If so, you have been "phished." You have also been phished if you do have an account at that institution. There is not much you can do to stop these messages appearing, apart from use a spam filter (which may not catch all of them). What you don't want to do is get caught by the phisher. Phishing is a technique used by strangers to "fish" for information about you, information that you would not normally disclose to a stranger, such as your bank account number, PIN, and other personal identifiers such as Social Security number. These messages often contain company logos that look legitimate and use flowery or legalistic language about improving security by confirming your identity details. The best thing to do with these messages is delete them. The worst thing to do is respond to them. We know of no reputable institution that uses email to request changes or updates to confidential account information. Although the people sending these phishing messages are trying to get personal information, they are not targeting you personally. They send millions of these messages a day and have no idea whether or not the recipients have accounts at the institution named in the message. Indeed, this type of mismatch is the easiest way to spot a phishing message. However, if the phisher gets lucky and you do happen to have an account at the institution named in the message, or the message is generic--see below) then things get a little trickier. For example, you are more likely to pay attention to a message that appears, often quite convincingly, to come from your bank. So let us repeat, we know of no reputable institution that uses email to request changes or updates to confidential account information. Delete the message. Do NOT click on any links in the message. If you cannot resist looking at email about an account problem here are some of the clues that the message is bogus (note that we are NOT implying that messages which lack these clues are therefore legitimate): 1. Has a deceptive link Most phishing messages make an effort to look like they are legitimate, for example, by using logos and graphics stolen from the web site of the target bank. All phishing messages we have seen also include a link for you to go to a web site to provide the data the phisher is trying to steal. However, this link is typically disguised. For example, the link might be long and complicated and include the name of the bank but actually not take you to the bank's web site. Alternatively, the link may appear to be plain and simple text but in fact it is html-coded to go somewhere else. Some email programs, such as recent versions of Eudora, will warn you of this deception and show you the real link when you place your mouse over the link text. As you can see, this is tricky stuff and not something that inexperienced users should mess with. Just delete the message and move on. 2. Says you must change your PIN and/or password This is not something that legitimate companies currently do via email, partly because email is so unreliable and prone to spoofing and other security problems. No security update to a banking web site is going to involve you logging into your account to reset it or prevent it being suspended. Ignore these messages and move on. 3. Bad spelling and grammar Whoever thought those tedious grammar lessons could be so useful? Believe it or not, bad grammar, spelling, and even faulty logic can be the fastest way to spot bogus email. Consider this example:
There is a telling typo here (identy for identity) and the logic is hopeless. Think about it, why would a bank send an email to someone if they were not sure they were the "rightful holder of the account." Again, this is not how real companies do business today, so just move on. Generic Example Generic account warnings are particularly nasty. They are one way that phishing attacks try to get around the problem of not knowing where the victim (you) has an account. For example, all bank accounts in America are insured by an institution called FDIC. So someone created a particularly nasty attack that preyed on this fact, potentially snagging anyone with a bank account. You can see the message by clicking this link: FDIC Patriot Act. We also have a picture of the bogus web site to which the link in this message leads. Note that it looks as though it is www.fdic.org, but it is not. Click here for a view of the bogus site. Go to this page for several more examples of phishing. Note: All trademarks displayed are the
property of their respective owners. Images may include copyright material
and are displayed for educational purposes. Email users should think
twice before replying or responding to any message requesting or referring
to personal information such as user name, password, social security
number or bank account. Trusted Sender™ The Multi-Billion Dollar
Corporate Spam Threat The
SpamSquelcher Press Release: 2/11/03 Press release on
the New York spam verdict: 1/24/03 Cobb
article on the economics of spam: February, 2003 |
