As long as you stay informed about 'phishing' and keep one step ahead of the game, you'll be swimming in safer waters.

Senior Cyber Crime Investigator, Sindh

Mar 19 - 25, 2007

In today's world Internet is becoming as common as sliced bread. Most people use it to send e-mails, browse for information, carry out banking transactions, and shop. So it shouldn't be a surprise that some people are embracing the technology for less-than-kosher purposes. As ever more people use the Internet for shopping, business transactions, online banking, etc., the incidence of internet fraud and scams has shot up in an alarming proportion. Not only has the level of Internet crime increased but the scammers and fraudsters grow cleverer and more sophisticated every day. What can you do to fight back? In this article I will describe the most common scams of today so that you can recognize them for yourself and I will suggest how you might deal with them.

Most of us are familiar with the dangers to our computers from viruses and similar destructive programs. There are many "fake" virus threats, however, they do no actually harm but can cause people to become alarmed and perhaps waste a lot of time. A recent example of this type of scam is the Death Ray virus scam which threatened to cause your computer "explode in a hellish blast of glass fragments and flames". A virus can damage software and files but no virus can physically damage your computer hardware. If you inadvertently open an email containing such a threat simply delete the email and ignore it.

Then there is the classic "Nigerian" money scam. I put Nigerian in quotes because this particular scam started off purporting to come from Nigeria but now can originate from virtually any country. The most common are from countries where the political situation is such that the claims made in the scam are plausible. This is how it works. You will receive an email from someone saying that their money, usually a huge sum, is tied up in local banks. They need the money to pay bills or perhaps to get out of the country safely. You are asked to help them by having the money transferred to your account and you will be given a percentage of the cash for allowing them access. Needless to say once they have your bank account details you will never hear from them again, but you will see a large depletion of the money in your account!

Anything which says you have won a valuable prize in a competition or lottery which you did not enter should immediately start the warning bells ringing. You are likely to see many variations on this scam, including getting free cases of coke, free clothing from high profile stores, free cases of beer, free Dell computers and free cell phones. Usually you have to pay a fee to receive your prize. Once you have paid the fee you will never hear anything more. There is the added danger here of the thieves possibly having access to your credit card details.

A particularly deplorable form of scams are those relating to "work at home" opportunities. They prey on people on low incomes or the unemployed, people who are desperate for money. A rosy picture will be painted of the large amount of money that will be made for carrying out some menial task such as filling envelopes. They will ask for a fee upfront to pay for the supplies you will need to get started. You know you've been had when the supplies arrive; paper clips, paper, rubber bands and the like, at four times the cost of what you buy the items for in your local store. Not only that but when you complete any tasks you are set and send the work to them, they will say it was not up to the required standard and refuse to pay you. That is if you ever hear anything at all. If you are interested in working at home there are plenty of legitimate companies out there. They won't contact you first and they won't ask for money from you before sending your work.

"Phishing" scams in particular are a major concern. Luckily, if you want to avoid becoming the next victim of identity theft, there are ways to protect yourself from harm.

What exactly phishing is (pronounced "fishing")? Phishers use e-mail, brand hijacking, and scare tactics to catch uninformed people off guard and steal their private information. Usually these scammers operate by sending out a whole bunch of spam e-mails to a long list of recipients. Each message is made to look as if it comes from a trustworthy company, such as eBay or a big banking institution.

The second element of the e-mail involves an appeal to your emotions. To achieve this goal, the sender claims there is a problem or crisis that needs to be fixed as soon as possible. The e-mails use urgent, professional language, and request personal information. They may even direct you to a spoofed web page where you are asked to input the requested data.

If you visit the fake website, it may appear to be authentic, and oftentimes the true URL is even masked to hide the fact that the website isn't legitimate. The website asks you to provide confidential information in order to solve the "issue," which might include social security numbers, account numbers, passwords, and other sensitive information. Phishers base their attempts on the hope that a few fish in the sea will be tricked into believing the e-mail and web page to be genuine, and hand over their personal information without realizing their mistake - until it's too late.

Unfortunately, phishers are beginning to employ more insidious tactics, such as planting spyware viruses, to try and get your personal information. Often these viruses are designed to remain dormant until they can easily snatch your sensitive data. Once the virus is on your computer system, your Internet activities are monitored so that when you visit a specific site (one that requires you to log in, for example) the virus takes action and either diverts you to a fraudulent site or logs your keystrokes as you enter relevant passwords, account numbers, and other such information. If you don't have virus and spyware protection software, contracting a spyware virus is a very real threat.

In the face of an increase in phishing scams, it's necessary to learn how to avoid them, if you can. But there is good news. You can keep from being a phishing victim, just by following a few simple measures:

Being informed about spam e-mails and spoofed websites is one of the best ways to guard against falling victim to a phishing attempt. If you know what to look out for and can recognize key factors in fraudulent e-mails, you'll be able to keep your identity as safe as possible. For instance, spam e-mails may contain the company's logo and appear official, but when you look closely, there are several warning signs that can give scammers away. Sometimes the e-mails have spelling mistakes or the language doesn't sound quite right. But the best indicator is the request itself - legitimate companies never ask for you to verify your account, or to send your account information via e-mail. If you want to make sure everything is safe with your account, simply direct yourself to the website (without clicking any links within the suspicious e-mail) and log in directly to check on things, or call to confirm the sender's identity and the truth of the request. Do not send the information online.

Secondly, don't become frightened by the urgency of an e-mail or feel under pressure to answer immediately, without a second thought. Scare tactics are common when it comes to phishing, as a means to extract private information from unsuspecting people. Often the e-mail will declare that your account will be shut down until you provide the necessary data, but in reality, organizations don't conduct business in such a manner. Again, if you're concerned about your account, call the institution directly to verify the matter.

A generic e-mail request is another indicator of a phishing scam. Because scammers tend to send out spam to a large number of people, the e-mails they send aren't usually personalized. Authentic e-mails that arrive from your bank or other official organization include your name. Never click on a link embedded in an e-mail message. Always visit the site on your own by typing it into your web browser and visiting it directly. That will ensure that you arrive at a legitimate site, at which point you can log in and check on the status of your account.

And never send confidential information to the sender by filling out a form present in the e-mail. Again, use your common sense and send the information over the phone or by visiting the website directly.

When entering credit card numbers and other important data online through a website, check that the site is authentic and utilizes encryption to secure the information. You can verify this by looking for a "locked" icon in one corner of your browser. The web address should also begin with "https" rather than a "http."

But be careful: some phishing sites put fake lock icons on their web pages. For inexperienced web surfers, this might be an effective trick. To avoid falling into this trap, ensure that the lock icon is located in the browser's window frame, rather than in the actual web page. And know that a secure site doesn't necessarily guarantee that a site is legitimate. URL masking techniques have the ability to make fake addresses appear to be those of actual secure companies. If you doubt the site's authenticity, call the site's owner.

Another way to evade scam artists is by keeping your browser and operating system updated. Download and install all patches and upgrades so that you are caught up with all the latest security updates.

Install an excellent personal firewall, antivirus software, antispyware software and antispam protection. Because these programs reduce the amount of e-mail phishing scams that come your way, and keep malicious viruses at a distance, you won't have as many chances to fall prey to a phishing attack.

If you follow these rules and know how to stay away from the bait, you can avoid being hooked by a phishing scam. As long as you stay informed about phishing and keep one step ahead of the game, as tactics evolve with the times, you'll be swimming safer waters.