Avoid being a victim of an e-mail phishing scam

A recent phishing scam resulting in usernames and passwords of Microsoft's Hotmail, Google's Gmail, and possibly accounts of AOL and Yahoo users being posted online is cause for concern for anyone who uses any of those services. Rather than panic, though, there are simple ways to avoid becoming a victim or being further victimized, if your account has already been compromised.

Microsoft and Google said the compromised information likely came as a result of a phishing scam, through which millions of people are sent e-mail (often warnings about a fake security breach), asking them to click on a link to take them to a Web site so that they can enter their correct information.

When phishing attacks first became prevalent, the fake sites were often crude imitations of the real things, but these days, they can look exactly like the legitimate site, typically of a bank, a payment service such as eBay's PayPal, or another financial company. When the user logs in with a username and password, or provides credit card numbers and other confidential data, that information is captured by the e-mail senders, who can use it to impersonate the victims.

In addition to someone being able to read your messages, a risk of having your e-mail account compromised is that many sites will send a lost password to an e-mail address, so if criminals can access your e-mail, they might be able to use it to get passwords from other sites, including financial accounts.

Audio

Podcast
Symantec's Marian Merritt on
how to avoid being a victim.

Download mp3

BBC News is reporting that it has seen lists containing more than 30,000 names and passwords, some of which "appear to be old, unused or fake," but "many--including Gmail and Hotmail addresses--are genuine." To put this into context, Gmail and Hotmail sites had more than 84 million unique visitors in July. Yahoo Mail had more than 156 million unique visitors, according to ComScore.

Here's some advice that can help you avoid becoming a phishing victim.

Change passwords regularly
Even if this particular breach hadn't occurred, many experts recommend that you change your password about every three months. This is as good a time as any to do just that. It's also a good idea to avoid using the same password on multiple sites, but if you're one of the many people who have done that, be sure to change your password elsewhere. Gmail asks users to provide them with an alternate e-mail address, so be sure to change the password for that account as well.

As I pointed out in this post about password security, consider using a password manager like LastPass (free) or RoboForm that can generate and manage strong passwords.

Click cautiously
If you get an e-mail that appears to be from legitimate site with a request that you click on a link to visit the site for any reason, including updating your security information, think before you click. It might be taking you to a rogue site that captures that information for possible identity theft or other crime. It's safer to just type in the URL yourself. Be extremely wary of any requests to provide Social Security numbers or credit card information, unless you're absolutely sure that you're dealing with a legitimate site. When visiting a site, make sure that the URL is that of the organization.

Look for secure sites
If you're asked to provide sensitive information such as a credit card number, be sure that the URL begins with "https" (the "s" stands for "security") and that there is a padlock icon, typically in the lower-right corner of the browser.

Use a phishing filter and good antimalware software
The most recent versions of most browsers, including Microsoft's Internet Explorer and Mozilla's Firefox, help filter phishing sites, as do security suites from McAfee, Symantec, TrendMicro, and other companies. Security software also helps protect you against malicious software that can log your keystrokes, or otherwise jeopardize your privacy and security. Make sure that your security software and your operating system are up-to-date.

Think critically
If something seems too good to be true, it's almost invariably too good to be true. Think about what you're about to do on any site you visit, especially if it's a site you don't already trust. Never use the same password on an unknown site that you use for e-mail, banking, or other sites where security is essential.

The U.S. Department of Homeland Security's National Cyber Alert System has additional tips to help you avoid phishing and other social engineering attacks, and ConnectSafely.org has tips to create an manage strong passwords.

[tacit]

Asking people to "look for a padlock" actually does surprisingly little good. Many phish sites have a small picture of a padlock on the site itself, and a surprisingly high percentage of people do not understand that a padlock inside the Web page means nothing; they need to look for a padlock on the edge of the window.

I've sat and watched people, including friends, family, and clients, surf the Web, and asked them how they know where they are and whether the site they are on is safe. The overwhelming majority--including people who are reasonably computer savvy--say they believe a picture of a padlock inside the Web page means they are safe; others say that they think the look and logos on the site tell them that the site is safe.

Also, I'm surprised you did not mention looking at the URL itself. Phishers and other criminals will often use URLs that look like "somehackedsite.com/www.paypal.com/cgi-bin/webscr"; others will create URLs that look like "www.paypal.com.webscr.cgi.1121234.cn". Again, the majority of computer users will be fooled by these URLs because they do not understand how to read a Web address. They see "paypal.com" in there and feel reassured.

[TobyGalino]

So true Tacit.. SSL certificates are over 10 years? old, and introduced visitors to a secure encryption with a simple yellow padlock icon in their Web browser. While Extended Validation SSL only 2 years old, goes beyond to guarantee verification of the company?s legitimacy. This process intends to thwart ?phishers,? aka the criminals creating deceptive websites, luring people with one click from a fake email in order to collect personal and financial data. We find here at VeriSign that if the site is collecting sensitive data they have migration to EV SSL in their web-plan.

[terminalblue]

Maybe i have the wrong idea about this, but this is just basically thinning out the herd. If these people are learning a lesson from this then good. they need to learn their lesson sometime.

[autoprt]

terminalblue, no everyone just replies to phishing sites because they want to. I had written a complaint to paypal and unfortunately within 10 minutes i had received a phishing email from Paypal. It even read something similiar to www.paypal.com.webscr.cgi.1121234 and it really appeared as the real thing. You know the rest of the story, my account was hacked and I had to start a new paypal account. But to self righteously preach to other about learning a lesson is BS.

[celticbrewer]

Terminal, while I agree with you in principle, what you're suggesting is like asking that everyone who drives a car know how to replace a transmission filter. It sounds like a simple thing that they should know, but c'mon- not everyone will have a clue. Can you imagine grandma on a creeper or understanding encryption/SSL/URL formatting?

[justthetrue]

Another simple way to test if one is accessing the real thing is just enter the wrong password the first time. If it take it , you are in the wrong place!!!!!
Most web sites allow for at least three tries to enter the correct password.

[celticbrewer]

+5 for a damn good idea.

[ilsthey]

Just know this is not 100% true.

The really sophisticated hackers will actually take your password and post it to the real site from their server. And then display the response back to you.

Thus they know they have gotten the real thing or not.

[ilsthey]

Just know this is not 100% true.

The really sophisticated hackers will take your password and post it to the real site from their server and then relay the response back to your browser.

Thus they know when they have gotten real passwords.

[setjeff15081947]

So Simple ... yet Brilliant! Thank you for the Tip, "justthetrue".

[SergeM256]

"... if it take it (wrong password) .." - what does it mean? To get to real website you need correct password, you will know if you are logged in your account once you are logged. No, I don't think so. If I were hacker I would save username/password and redirect to real web site, to page "Enter password again" and user could go real website.

[irdac]

A simple method to avoid phishing is -- Never use the link in any email. Store the correct web page data and your password etc. in program which encrypts the data. Use only this data to open the web page and then you know you are dealing with the right organisation. Even an email which seems perfect can be a fake so don't use any links. If the email came from an honest source you have only wasted a few mouse clicks to make sure you are safe.

[ttboy404]

Does Spoofstick work?

i have been using it for years. I have never had a way to test it. It is simple, and if it actually works, brainless to use.

[BethJones-Sophos]

It's worth noting that email is not the only way to be phished. I am on several of the social media sites and I see rogue applications that are collecting email addresses and passwords at least a couple times a month. The whole "If you liked this application, send it to your friends" is really a phishing attack - it asks for your email address and password to "send" to your friends. The phishers then have your information.

We here at Sophos also saw in the list a lot of kid culture passwords, which lends credit to the multi-vectored attack. An email phish wouldn't work on a small child, but a "send this application to your friends" would.

See our blog posts about the attack and some security tips below:

http://www.sophos.com/blogs/sophoslabs/v/post/6719
http://www.sophos.com/blogs/chetw/g/2009/10/06/hotmail-heist-update-release/
http://www.sophos.com/blogs/sophoslabs/v/post/5329

[Senlamy]

Since you are talking about generating strong password, remembering them is difficult and changing them also. For this purposes I use Sticky Password Manager. It has all I need for this.

http://www.stickypassword.com

[howiem]

Here are some things one can do (in addition to Larry Magid's good advice..
1. Get the program Sandboxie. Set up a separate sandbox for each bank you use. Delete the contents of the sandbox after every banking session. When accessing your bank do not open other websites in that sandbox.
2. Use Keyscrambler.
3. Get a password manager,like Roboform to avoid typing in passwords.
4. hen you log into a bank's web site for the first time, make sure it is the genuine web site. Call the bank to verify if you are uncertain.
5. Once you have securely logged in, click a random link on that secure web page. Make sure that the new pages that loads is also has an https address, and not a http address. Bookmark the page.
6. Thereafter use only that bookmarked page when you want to access your account online. What this do
7. What this does is redirect you to the genuine login page via the bank's secure server.
8. Repeat the procedure for each banking web site.
Never access any bank by clicking a link in an email, an instant message or on the Internet.

[Dr_Zinj]

I don't bank on-line.
I pay my bills by mail and with a check.
I balance my checkbook on a monthly basis.
I verify every line item in the statement.
I use account debiting only.
Bank is instructed to not honor credit card charges without personal confirmation.

Not as convenient maybe, but I haven't been hacked or scammed either.

[jo134]

Obama is the Heartbeat of America he is not a scam.

If You Don?t Have Insurance, the Obama Plan:

* Creates a new insurance marketplace ? the Exchange ? that allows people without insurance and small businesses to compare plans and buy insurance at competitive prices.
* Provides new tax credits to help people buy insurance.
* Provides small businesses tax credits and affordable options for covering employees.
* Offers a public health insurance option to provide the uninsured and those who can?t find affordable coverage with a real choice.
* Immediately offers new, low-cost coverage through a national ?high risk? pool to protect people with preexisting conditions from financial ruin until the new Exchange is created.

[kaiman75]

@ jo134 - You sound like a scam...

Also, the author forgot to mention an important rule of thumb: That users should not use the same passwords for their various accounts. This way, if one does get compromised, the hackers won't be able to get into your other accounts or at least will have a much harder time...