Phishing

june 14, 2004

Eileen got a spoof email from someone claiming to be Citibank today. She is a smart woman though, she checked through the real Citibank website instead of using the link in the spoofed email. Phishing is on the rise and there are still people out there who are ignorant of the fact that clicking stuff in email is the worst thing you can do -- especially when it comes to emails that purport to collecting or updating personal information. My co-worker's wife fell for one of these phishing schemes. She received an email that had eBay's logo on it and looked just like an authentic eBay email. It was very hard to tell that it was not from eBay. My co-worker does a lot of business on eBay during his weekends and he gets a lot of email from eBay. His wife helps him out with the clerical issues. So, to her getting an email from eBay is not something out of the ordinary. Embedded in the email from the phisher was a form that asked for some really personal information: Full name, birthday, social security number, credit card number, ATM card number, ATM pin number, and mother's maiden name. I flipped out when I heard that his wife actually filled out all the information! She is a prime example of the ignorance that phishers are looking for. It's not like she is a stupid woman, it is just that she did not know that this sort of stuff is going around -- basic ignorance. She has a high trust in the company that they do business with and with an official looking email, the phisher took advantage of this trust. Some call this social engineering. Here are some tips to avoid getting taken by a phishing scam:

Save yourself some headache, time, and money. Be smart about where you go on the web, it is not as safe as most people believe. And email is not as secure either -- it is probably the most insecure thing around, any email address can be forged without much knowledge on how to do it. And don't get comfortable about phone calls while you are at it, I am not saying you should be paranoid, but a good sensible amount of paranoia will do you a lot of good. If the credit card company calls asking for information then tell them you'll call them right back because you do not feel safe talking with them like that. Then call the number on the back of your card. Hacking is not always about cracking passwords or code. Most of the time it is about taking advantage of a human's trust and/or ignorance. And I truly believe with our "we don't read manuals" and lazy society, most of the time the people that get taken advantage of are those who do not take the time to educate themselves about the things that they are using. If you are using the Internet, make it your mission to learn about it and learn about the things that you should watch out for. And once you learn that stuff, keep the learning going because as much as you learn now, the hackers and criminals will be devise better schemes to take your personal information. Maybe it is just an example Darwinism: Those that don't learn or bother to learn are the ones that get taken advantage of. The weak (and ignorant) get taken advantage of, the strong (educated) do not. Don't be taken advantage of, don't be an ignorant person.