For the bad guys on the Internet, this truly is, “the most wonderful time of the year.” We’re all rushing around, buying things online and sending e-mail greetings. It’s the perfect time for online crooks, especially “phisher” scammers, who want to steal your money or snag your identity.
Phishing fraud is getting worse. According to the research group Gartner, Inc., both the volume of e-mail attacks and the money lost are up significantly. Gartner estimates that phishers will steal more than $2.8 billion from American consumers this year. In a survey released last month, Gartner says the average phishing victim now loses $1,244. That’s up from an average loss of $257 in 2005.
“Some of these guys are the ultimate online marketers,” says Dave Jevans, Chairman of the Anti-Phishing Working Group. “Unfortunately, they’re on the dark side.”
Phishers are always coming up with new lures to reel you in. Right now, many are using a holiday theme.
The phony confirmation
The bogus e-mail looks like it’s from online store thanking you for ordering some expensive item, maybe a laptop or flat screen TV. The message will probably contain some language designed to make you act right away. For instance, “we ship all orders within 24 hours,” or “here’s how the charges will appear on your credit card.”
You know you didn’t order this, but you’re worried about having thousands charged to your credit card. So you click on the link in the message that says “click here to check on your order or dispute this charge.”
That link takes you to a site that looks like a normal online retailer. The dispute page will ask for your credit card number and other personal information in order to cancel the transaction. Gotcha!
“They scam you by scaring you,” says Andrew Brandt, a contributing editor to PC World Magazine. They deliberately use a high value amount in the bogus confirmation e-mail because they want to give you “a little adrenaline rush, just enough to panic you for a split second,” he says.
Because so much e-commerce is taking place right now, many of these phishing attacks are aimed at people with eBay and PayPal accounts. If that’s you – be on guard!
Protect yourself
Never click on a link that’s contained in an e-mail confirming an order you did not make. A real confirmation e-mail from a legitimate retailer will never take you to a site that asks for your credit card number or other personal information.
If the e-mail appears to be from a legitimate retailer you know, call them to find out what’s up. If the message is from a company you don’t know and are sure you didn’t do business with, delete it.
If you feel you need to do something, contact your credit card company and keep an eye on your account for any bogus charges. If something shows up, you can challenge it as fraudulent.
The charity twist
People are in the mood to give at this time of year and most of us expect to get e-mail asking for charitable donations. But how do you know if that solicitation is legit? These days, almost anything on the Internet can be faked.
That “donate now” link could take you to a fake site that looks every bit like the real charity’s site. If so, you’re donating your credit card number to a crook.
Cyber-crooks are no longer amateurs. They are very good web designers. These copy-cat web sites look so good, Brandt says, “that even the people who work for that charity might not be able to tell the difference.”
Play it safe - never click a link on a charitable solicitation. If you want to make a donation to that charity, log on to their site by typing their address into your browser. If you’re not sure of the exact address, use the charity search engine at guidestar.org.
Holiday greetings
Dave Jevans with the Anti-Phishing Working Group says the volume of e-mail containing malicious software has been skyrocketing recently.
Many of these come in the form of online greeting cards. The message tells you to click on a link to see your e-card. You may figure nothing bad could possibly happen. That’s what the phisher is counting on.
Lance James, Chief Technology Officer of Secure Science Corp. and founder of Mal-Aware.org has some advice that may not make the greeting card companies too happy.
“If you get a greeting card from someone you don’t know,” he says, “don’t open it!”
You could load malicious software onto your machine — and never know it — software that can track everything you do on your computer.
Be suspicious
Be suspicious of all e-mail greetings, especially those with attachments, from people you do not know. Don’t open these attachments.
Cyber-crooks go to work each day thinking up new ways to rob you of your money or identity. They’re getting “extremely technically sophisticated,” says Lance James of Malware.org. They can now find ways around all the rules for safe computing.
For instance, we’ve been taught to look for and trust the little yellow security lock icon on the browser and “https://” in the address. Both show that we’re on a secure server. James says the bad guys can now fake that safety seal and the secure address.
The latest browsers from Microsoft (Internet Explorer 7) and Mozilla (Firefox 2) now have anti-phishing filters that will warn you if you land on a known or suspected phishing site. A number of toolbars also offer this protection.
But according to a recently released study by Carnegie Mellon University’s Cylab, this anti-phishing technology “left a lot to be desired.” That’s to be expected. Because the real solution to this problem isn’t technology, it’s people – computer users who are suspicious, who think before they act, and guard their private information.
“Remember, you don’t want to trust anything online,” says Lance James of Mal-Aware.org. “It really is the wild, wild web.”