As I sorted through several dozen newly arrived e-mails this morning I noticed one from "Provider Inc." with "Order Sales Order" in the subject line. "Damn phishers," I thought as I prepared to send the message to the digital Dumpster.
On second thought, I wondered what would make someone fall for a message that appeared to me like an obvious phishing attempt. Well, people respond to sales receipts even if they haven't bought anything online recently--nobody wants to be charged for something they didn't buy.
So "Sales Order" was the first hook. After opening the message--carefully--the clues to its bogus nature were everywhere. "North Luigi, AZ"? Are you kidding me? A fax number with a prefix of "006"? C'mon. The sad fact is, some of the poor souls the phisher targets with this e-mail will take the bait.
As phishing attempts go, this one was fairly well crafted. First, it managed to get through Gmail's built-in phishing filters. Second, it resembles a real invoice. You have to look closely to find the grammar errors and other mistakes that confirm a fake: "till" instead of "until," double "at," duplicate street addresses, and mismatched zip codes.
User education is the key to phishing prevention
Phishers are the scum of the earth. According to CommTouch's October 2011 State of Hacked Accounts report (PDF), phishing e-mails are being sent increasingly from compromised accounts rather than from "zombie" addresses. This makes it more difficult for your e-mail provider to block the messages because they appear to originate from trusted domains.
According to a CommTouch survey of people whose e-mail accounts were hacked, Yahoo Mail (27 percent), Facebook mail (23 percent), Gmail (19 percent), and Hotmail (15 percent) were the principal targets of phishers. Not surprisingly, 62 percent of the survey respondents said they didn't know how their e-mail account was hacked, while 15 percent blamed a Facebook link, and another 15 percent pointed the finger at their use of a public Wi-Fi hot spot.
The survey found that 54 percent of the compromised accounts were used to send spam and 12 percent to promulgate the "friend stuck overseas" scam; 23 percent of the victims surveyed by CommTouch said they didn't know how their compromised account was used.
Perhaps the most telling result of the CommTouch survey is how people responded to the phishing attack: 42 percent changed their password, 8 percent ran antivirus software, 23 percent changed their password and ran antivirus software, and another 23 percent did nothing. To that last group I can only say, "thanks for being a part of the problem."
CommTouch's October 2011 Internet Threats Trend Report (PDF) takes a closer look at the techniques phishers are using to break into our e-mail and Web accounts.
Change your passwords regularly, and don't take the link bait
Nobody likes being micromanaged, but I have to grudgingly acknowledge the wisdom of policies requiring users to change their passwords at a set interval and preventing them from using passwords that are easy to guess. Last month Rob Lightner described several services that generate strong passwords. One of my favorite tricks is to use the second, third, or last letters in a common phrase, such as a relatively obscure song lyric or movie line.
Back in February 2008 I described the Password Commandments. Most of those tips were for protecting your Windows account, and include instructions for creating a password-reset disc in Vista and Windows XP. (The steps for doing so in Windows 7 are nearly identical to those for Vista.) But the article also covers how to delete saved passwords in browsers.
In the past I have recommended password managers, such as RoboForm and Lastpass, but the fact is I don't use them. It's not that password managers are insecure, it's just that I'd rather keep my passwords in my head and nowhere else. There's also the pride factor: like going to the grocery store without a list, I want to trust my memory--at least until senescence takes hold.
Now, what was that other thing I wanted to write about? Oh yeah, link traps--those emotion-driven come-ons that lead directly to trouble. Of course everyone wants to know who has been viewing their Facebook profile, but you can't. Period. Any link that claims to let you is bogus.
Likewise, beware of offers to show you pictures or videos relating to celebrities and current events. Of course, the crooks are attempting to capitalize on the passing of Steve Jobs, as Graham Cluley reports on the Sophos Naked Security blog.
(Thank you, Mr. Jobs, for being the light of my generation--may it shine on!)
Phishers are criminals, and criminals hurt all of us. We owe it to each other to put these vermin out of business. Change your dang password, keep your dang software up-to-date, watch for suspicious e-mail, and don't believe the link hype. Pass it on.