If you have received an e-mail from the Internal Revenue Service or the Federal Deposit Insurance Corporation, chances are it was a phishing attempt. If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing.
Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password.
And anyone can be at risk. The wife of FBI Director Robert Mueller banned him from doing online banking after he came close to falling for a phishing attempt.
Here is some basic information that can help people avoid being tricked by phishing attacks.
What is phishing?
Phishing is an attempt, usually via e-mail, to trick people into revealing sensitive information like usernames, passwords, and credit card data by pretending to be a bank or some other legitimate entity. The e-mails typically include a link to a Web site that appears to be legitimate and which prompts users to provide information. Sometimes, the phishing e-mail will include a form in an attachment to fill out. One common tactic phishers use is to pretend to be from the fraud department of a financial institution or online retailer like PayPal and ask for information to be provided to prevent identity fraud. In one case, a phishing e-mail purporting to be from a state lottery commission asked recipients for their banking information so their "winnings" could be deposited into their accounts.
Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail purportedly about swine flu asked people to provide their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Twitter users have been directed to fake log-in pages.
Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a live chat window was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for additional information.
This phishing e-mail looks legitimate and even offers to provide tips on how to avoid fraud and spoof e-mails.
(Credit: Screenshot by Elinor Mills/CNETNews.) What are other recent examples of phishing attacks?
A recent e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"
E-mails that look like they come from the FDIC include a subject line that says "check your Bank Deposit Insurance Coverage" or "FDIC has officially named your bank a failed bank." The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out. Clicking on the form links downloads the Zeus virus, which is designed to steal bank passwords and other information.
E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.
A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.
What are some tell-tale signs of a phishing attempt?
Many phishing attempts originate from outside the U.S. so they often have misspellings and grammatical errors. Some have an urgent tone and they seek sensitive information that legitimate companies don't typically ask for via e-mail.
What should I look for in an e-mail?
Check the sender information to see if it looks legitimate. Criminals will choose addresses that are similar to the one they are faking. For instance, phishers have used "Alerts@Paypal.co.uk." However, legitimate PayPal messages in the U.S. come from Service@paypal.com" and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in ".uk" or something other than ".com" could indicate it's a phishing attempt.
The e-mail address may also be obscured. Hitting "reply all" may reveal the true e-mail address. You can also set your e-mail preferences to show "full header" to see the full e-mail address and other information. If you are at all unsure whether the e-mail is legitimate, go to the company's Web site to see the address listed.
Legitimate companies tend to use customer names or user names in the e-mail, and banks often will include part of an account number. Phishing emails typically offer generic greetings, like "Dear PayPal customer."
Inspect the hyperlinks inside the body of the e-mail. Phishers typically will use subdomains or letters or numbers before the company name, and sometimes the words in the links are misspelled. For example, www.BankA.security.com would link to the 'BankA' section of the 'security' Web site. Often, it's difficult to tell if the link is legitimate just by looking at it. By mousing over the link you can see the real address on the bottom of most Web browsers.
In addition, PayPal, Amazon, banks, and many other businesses use the SSL (Secure Sockets Layer) protocol which is designed to ensure that customers are visiting the real site. That means https:// will be seen in the URL address bar instead of just http:// and usually there will be some other change in the address bar. For instance, PayPal displays a "P" and its name is highlighted in green at the front of the URL. The major browsers have antiphishing measures designed to detect malicious sites. Some phishers also try to hide the real Web address they are sending victims to by using URL shortening services.
If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.
Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.
How can phishing attacks be avoided?
Try to stay off spam lists. Don't post your e-mail address on public sites. Create an e-mail address that is less likely to get included in spam lists. For instance, instead of bobsmith@xyz.com, use bob.smith.az@xyz.com.
If an e-mail looks reasonable contact the company directly if you receive an e-mail asking you to verify information. Type the address of the company into the address bar directly rather than click on a link. Or call them, but don't use any phone number provided in the e-mail.
Don't give out personal information requested via e-mail. Legitimate companies and agencies will use regular mail for important communications and never ask customers to confirm log-in or passwords by clicking on links in e-mail.
Look carefully at the Web address a link directs to and type in addresses in the browser for businesses if you are uncertain.
Don't open e-mail attachments that you did not expect to receive. Don't open download links in IM. And don't enter personal information in a pop-up window or e-mail.
Make sure you are using a secure Web site when submitting financial and sensitive information.
Change passwords frequently. Don't use the same password on multiple sites.
Regularly log into online accounts to monitor the activity and check statements.
Use antivirus, antispam, and firewall software and keep your operating system and applications up-to-date.
What can I do if I think I've been victimized by phishing?
The Anti-Phishing Working Group has a comprehensive site explaining exactly what steps people should take based on what type of information they have given out.
Where can I report phishing attempts?
You can forward suspected phishing e-mails to reportphishing@antiphishing.org and spam@uce.gov. Companies typically have an address to forward phishing examples to, such as "spoof@company.com." Always include the entire phishing e-mail. Complaints can be lodged with the Internet Crime Complaint Center at the FBI.
Here are additional resources.
http://apwg.org/consumer_recs.html
http://www.irs.gov/newsroom/article/0,,id=154848,00.html
http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx
This phishing e-mail includes a sender e-mail address and link that are obviously not associated with Facebook.
(Credit: Screenshot by Elinor Mills/CNETNews.)
(Credit:
FBI)
Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday.
"Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement.
The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.
Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks.
Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.
The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.
The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites.
In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said.
Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised.
Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers.
"Money mule activity is essentially electronic money laundering...," the FDIC statement said.
Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer.
"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."
Scammers are targeting social networks with phishing scams and relying more heavily on worms and Trojans to attack computers, according to security trend reports to be released Monday by Microsoft and McAfee.
Phishing attacks saw a big spike in May and June, primarily because of campaigns targeting social-networking sites, according to Microsoft's report covering the first half of 2009. Gaming sites, portals, and Web sites of banks and retailers were also popular targets for phishing attacks, the report said.
Trojans top the list of threats to computer security, according to Microsoft's latest Security Intelligence Report.
(Credit: Microsoft)Trojans, including rogue security software, remained the most prevalent category of threats, while Microsoft statistics show that worms rose from fifth place in the second half of last year to become the second most prevalent category, led by Conficker and followed by Taterf, which targets multiplayer online role-playing games.
During the first half of the year, Microsoft detected and cleaned rogue security software--which displays false antivirus warnings to trick people into paying for software they don't need--from 13.4 million computers. That was down from 16.8 million computers in the second half of last year.
Most of the drive-by download pages are hosted on legitimate Web sites that have been compromised by attackers through intrusion or malicious code posted to a poorly secured Web form, such as a blog comment field. The Trojan Downloaders & Droppers category was the type of malware most often delivered in drive-by attacks, according to Microsoft.
The number of total unique vulnerability disclosures across the industry was down sharply from a year ago. While browser vulnerabilities increased slightly, application vulnerabilities dropped and operating system holes were flat, Microsoft said.
Microsoft software accounted for 6 of the top 10 browser-based holes attacked on Windows XP computers, compared with only one on Vista computers. Of the top 10 browser-based holes exploited on computers running Vista, 2 targeted Adobe Reader and the most significant one targeted Adobe Flash Player. In the third spot was an exploit aimed at Internet Explorer.
Infection rates for Windows Vista were significantly lower than Windows XP, while the rate for Windows Server 2008 was less than Server 2003.
Microsoft released 27 security bulletins in the first half of the year, addressing 85 individual vulnerabilities. Of those, 11 were exploited within the first 30 days after the release of the security bulletin.
As far as computer security consciousness, the U.S. is in the middle, according to George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group. Japan is at or near the top of the list and Germany is high up too, he said.
"We are average," he added. "We are not one of the cleanest countries, we are dead on in the middle."
McAfee's report showed the U.S. as the top country when it comes to the number of compromised computers that are zombies used in botnets to do things like send spam, followed by China and Brazil. The U.S. also is the top distributor of spam and has the most servers hosting malware, McAfee said.
Spam comprises 92 percent of all e-mail. It jumped 24 percent from a year ago, McAfee said.
This is Twitter's spam warning.
(Credit: Twitter)Twitter warned on Wednesday about a new phishing attack in which direct messages to users link to a fake log-in page that steals passwords.
"We've seen a few phishing attempts today; if you've received a strange (direct message), and it takes you to a Twitter log-in page, don't do it!" the Twitter spam warning says.
The direct messages say: "hi. this you on here? http://blogger.djh****.com," Sophos reports in a blog post. The full URL is obscured to prevent people from unwittingly visiting the phishing site.
Clicking on the link takes a user to a page that looks like a legitimate Twitter log-in page. When the user types in the username and password, a fake version of Twitter's "over capacity" message is displayed, with the image of the notorious "fail whale" held aloft by birds.
"When I visited the page, I was then slingshot to another Web page on Blogspot.com, claiming to belong to a blogger called NetMeg99," Sophos researcher Graham Cluley wrote. "It's not clear if NetMeg99 is involved in the phishing scam, but there is a suggestion that her Web page did also try to phish for credentials at one point."
If you have been duped by this phishing ruse, Sophos suggests that you immediately change your password at Twitter and any other sites where you used the same log-in credentials.
On the heels of one fake Facebook e-mail scam, a researcher warned on Wednesday of another such campaign in which users of the popular social network are being tricked into revealing their passwords and downloading a Trojan that steals financial data.
In the latest scam being blasted to e-mail in-boxes, a legitimate-looking Facebook notice asks people to provide information to help the social network update its log-in system, said Fred Touchette, a senior security analyst at AppRiver. When the user clicks the "update" button in the e-mail, they are directed to a fake Facebook log-in screen where their user name is filled in and they are prompted to provide their password.
This is a screen shot of the message in the body of the fake Facebook e-mail.
(Credit: AppRiver)When they provider that information, victims are taken to a page that offers an "Update Tool," but that is actually the Zeus bank Trojan that is designed to steal financial and personal data, Touchette said.
Users of smart phones that have the Facebook app installed can also easily be duped because the phishing e-mail appears as an actual Facebook notification complete with Facebook icon, he said. The message is received in the e-mail in-box on the phone as well as under the Facebook notification section in the app itself, he added.
There are likely to be a lot of victims given how many e-mails the scammers are sending. AppRiver has captured about 6 million e-mails in its filters and noticed that the messages were coming in at a rate of 30,000 a minute at one point, according to Touchette. That's about 10 times the usual botnet e-mail message rate, he said.
More details are on the AppRiver blog.
On Tuesday, researchers reported that a different botnet, Bredolab, was distributing fake "Facebook Password Reset Confirmation" e-mails that included a Trojan. As of late Wednesday night, security provider Cloudmark said it had seen more than 730,000 of the Bredolab-related e-mails.
To protect against such phishing attacks, people should be extremely cautious about clicking on links in e-mails and they can mouse over the link to see if the domain is a legitimate domain, Touchette said.
Meanwhile, Facebook users should easily be tipped off that the latest scam is just that, a scam, he said. "Facebook doesn't need all of its users to update their accounts in order for them to make changes to their site," he added.
If there is any question about the legitimacy of the e-mail or the link, users should close the e-mail and go directly to the site to check for important notices to customers, he said.
This is the prompt Facebook users get as part of the latest phishing scam. Downloading the "update tool" installs a Trojan.
(Credit: AppRiver)
It's still unclear exactly how 20,000 passwords discovered on the Web recently were stolen, but the finding reveals much in the way of people's password habits: some of us are lazy.
Several lists of passwords from Hotmail, Gmail, Yahoo Mail, and other accounts were discovered and reported on earlier in the week. While, Microsoft, Google, and Yahoo are blaming phishing, a researcher at ScanSafe thinks password-stealing malware on computers could be the culprit, which would mean that more than just the Web e-mail accounts may have been compromised.
More on that later. First, let's look at what an analysis of the leaked passwords reveals.
Security researcher Bogdan Calin did a statistical analysis of the list of more than 10,000 Windows Live Hotmail passwords and wrote about his findings on the Acunetix blog. He discovered that the most common password was "123456," used for 64 of the passwords. In second place was "123456789," used for 18 of them. Also, 42 percent of the passwords used only lower case letters.
While that shows some people aren't exercising caution in securing their e-mail accounts, other statistics reveal that many people are putting more thought into it.
For instance, 30 percent used a combination of uppercase and lowercase letters and numbers. Twenty-two percent of the passwords used six characters, 14 percent used seven, 21 percent used eight, and 12 percent used nine characters. One account even had a password that was 30 characters long.
"My impression is that these passwords have been gathered using phishing kits," Calin writes. "Even more, the phishing kit used most probably was badly designed, since it was one that didn't further authenticate the users to the Hotmail/Live Web site. I think it just returned an error message after grabbing the credentials. I noticed this because some of the passwords are repeated once or twice (sometimes with different capitalization). What most probably happened, is that the users didn't understand what was happening, and they tried to enter the same password again and again, thinking the password was wrong."
Mary Landesman, senior security researcher at ScanSafe, theorizes that passwords were obtained by a data-stealing Trojan horse and not phishing.
There are errors in the list of Hotmail passwords that appear to be the result of improper extracting or merging data, she writes on the ScanSafe blog.
Among other reasons, Landesman notes that usernames often appear multiple times with the same password except for a slightly different spelling. Also, she said the "@" separating the username from the account is not always present, which could indicate that the data was pieced together from a form or was extracted from a larger set of data.
Asked to comment on Landesman's speculation, Microsoft and Yahoo representatives said the companies still think the passwords were phished.
A Google spokesman offered this comment: "Passwords can be compromised in multiple ways, so it's a good idea to take several steps to help protect your personal information. Select unique passwords, especially on your most important Web sites, and use antivirus software to help detect software that may try to steal your password."
It's important to remember that phishing can lead to the download of malware onto a victim's computer. So people may never been known what happened.
Regardless, be careful out there.
(Related: See Larry Magid's story for tips on making strong, easy-to-remember passwords.)
Update, 1:20 p.m. PDT on October 9: The list of passwords analyzed apparently was limited to usernames starting with A and B, which is not exactly a representative sample but could explain the use of Spanish words beginning with "A."
Phishing attacks have been around for a while and you might think that most people are savvy enough to avoid them. But, as CNET's Elinor Mills discovered, even FBI Director Robert Mueller finds it hard to distinguish a rogue phishing site from a legitimate bank website.
Symantec Internet safety adviser, Marian Merritt
(Credit: Symantec)This week there have been two major phishing stories. One involved e-mail account names and passwords of Hotmail and Gmail users being compromised through a phishing attack and posted on a website. The other (which Mills also wrote about in the story linked above) involved the indictment of 100 people in the U.S. and Egypt and the arrest of 33 more people in the U.S. as part of the largest cyber crime investigation in the U.S.
After writing my blog post on how to avoid becoming a phishing victim, I got a call from Symantec with an invitation to speak with its Internet safety adviser and blogger, Marian Merritt. Without overly pushing her company's products (which actually can help people avoid phishing scams), she talked about the recent arrests, the problem in general and gave some of her own tips on how to avoid being a victim.
Listen now:
Download today's podcast
Subscribe now: iTunes (audio) | RSS (audio)
Robert Mueller
(Credit: James Martin/CNET)SAN FRANCISCO--No one is immune from cyberthreats, not even the head of the FBI.
FBI Director Robert Mueller was banned by his wife from doing online banking after he nearly fell for a phishing scam, he said on Wednesday during a talk at the Commonwealth Club of California.
He received an e-mail purporting to be from his bank that looked "perfectly legitimate" and which prompted him to verify some information. He started to follow the instructions but then realized that that "might not be such a good idea," he said.
"Just a few clicks away from falling into a classic Internet phishing scam," Mueller "barely caught himself in time" and admitted he "definitely should have known better."
He said he changed his passwords and tried to pass the incident off to his wife as a "teachable moment," but she was having none of it and told him, "It is our money. No more Internet banking for you!"
(He would have benefited from reading Larry Magid's tips for avoiding phishing scams.)
Earlier on Wednesday, the FBI in Los Angeles announced indictments of 100 people in the U.S. and Egypt, and the arrest of 33 people in California, Nevada, and North Carolina as part of "Operation Phish Phry"--the largest cybercrime investigation to date in the U.S.
Egyptian hackers are accused of targeting two U.S. financial institutions in phishing attacks and using the stolen bank account information to get unauthorized access to the accounts, coordinating with associates in the U.S. to transfer the money out of the accounts, the FBI alleges.
The U.S. defendants allegedly recruited "runners" to set up bank accounts where the funds from the compromised accounts could be transferred and withdrawn. There were hundreds or thousands of bank customer victims, the FBI estimated.
"It's the largest international phishing case ever conducted," Mueller said.
Many of the scams come from people in Eastern Europe, he said. To support investigations in Romania, the FBI has agents embedded in the police agencies there and managed to arrest more than 100 people in that country and in the U.S. in the last year, he said.
During a question-and-answer session, Mueller was asked how vulnerable the U.S. is to attacks on its critical infrastructure. The U.S. is "well ahead of just about any country (in) walling off access to outsiders to our most sensitive" systems, he said. Officials have seen instances of cyberattacks by terrorists, but "they have not yet been of the magnitude that would cause us substantial concern," Mueller said.
Meanwhile, terrorists are using things like Google Earth as tools in their mission, he said.
One audience member submitted a comment card that the fear of the FBI reading citizen e-mail was greater than the fear of teenage hackers. The FBI does not intercept communications without a court order of some kind, Mueller said. "I would worry about that teenage hacker more than you should worry about us," he added.
"I'm comfortable with the stances we've taken," on balancing civil liberties and national security, he said, adding that he supports the Patriot Act because it "broke down the walls between the intelligence community and law enforcement." He warned people against revealing too much of their lives online, on sites like Facebook.
The personal moments shared with friends as a youth may later "come back to haunt you" during a job search, he said, despite the use of passwords and the supposed anonymity of screen names. "To the extent that you are going to rely on that forever, it's very, very weak security," Mueller said.
"I do not have a Facebook profile," he later added.
Young hackers also shouldn't expect to parlay their computer skills into a legitimate career if they get arrested for breaking into systems and serve time, he warned.
"You hack, you get caught," he said. "You are going to jail... You are not going to get a good job afterward. You are going to be identified as a person who has broken the law."
Asked what keeps him awake at night, Mueller responded: "The threat of a weapon of mass destruction in the hands of a terrorist... One person with access to a biological or chemical agent can cause massive harm."
Related podcast: Symantec Internet safety adviser Marian Merritt discusses how to avoid being a phishing victim.
FBI Director Robert Mueller talks about how the agency fights cybercrime.
(Credit: James Martin/CNET News)A recent phishing scam resulting in usernames and passwords of Microsoft's Hotmail, Google's Gmail, and possibly accounts of AOL and Yahoo users being posted online is cause for concern for anyone who uses any of those services. Rather than panic, though, there are simple ways to avoid becoming a victim or being further victimized, if your account has already been compromised.
Microsoft and Google said the compromised information likely came as a result of a phishing scam, through which millions of people are sent e-mail (often warnings about a fake security breach), asking them to click on a link to take them to a Web site so that they can enter their correct information.
When phishing attacks first became prevalent, the fake sites were often crude imitations of the real things, but these days, they can look exactly like the legitimate site, typically of a bank, a payment service such as eBay's PayPal, or another financial company. When the user logs in with a username and password, or provides credit card numbers and other confidential data, that information is captured by the e-mail senders, who can use it to impersonate the victims.
In addition to someone being able to read your messages, a risk of having your e-mail account compromised is that many sites will send a lost password to an e-mail address, so if criminals can access your e-mail, they might be able to use it to get passwords from other sites, including financial accounts.
Audio
Podcast
Symantec's Marian Merritt on
how to avoid being a victim.
Download mp3
BBC News is reporting that it has seen lists containing more than 30,000 names and passwords, some of which "appear to be old, unused or fake," but "many--including Gmail and Hotmail addresses--are genuine." To put this into context, Gmail and Hotmail sites had more than 84 million unique visitors in July. Yahoo Mail had more than 156 million unique visitors, according to ComScore.
Here's some advice that can help you avoid becoming a phishing victim.
Change passwords regularly
Even if this particular breach hadn't occurred, many experts recommend that you change your password about every three months. This is as good a time as any to do just that. It's also a good idea to avoid using the same password on multiple sites, but if you're one of the many people who have done that, be sure to change your password elsewhere. Gmail asks users to provide them with an alternate e-mail address, so be sure to change the password for that account as well.
As I pointed out in this post about password security, consider using a password manager like LastPass (free) or RoboForm that can generate and manage strong passwords.
Click cautiously
If you get an e-mail that appears to be from legitimate site with a request that you click on a link to visit the site for any reason, including updating your security information, think before you click. It might be taking you to a rogue site that captures that information for possible identity theft or other crime. It's safer to just type in the URL yourself. Be extremely wary of any requests to provide Social Security numbers or credit card information, unless you're absolutely sure that you're dealing with a legitimate site. When visiting a site, make sure that the URL is that of the organization.
Look for secure sites
If you're asked to provide sensitive information such as a credit card number, be sure that the URL begins with "https" (the "s" stands for "security") and that there is a padlock icon, typically in the lower-right corner of the browser.
Use a phishing filter and good antimalware software
The most recent versions of most browsers, including Microsoft's Internet Explorer and Mozilla's Firefox, help filter phishing sites, as do security suites from McAfee, Symantec, TrendMicro, and other companies. Security software also helps protect you against malicious software that can log your keystrokes, or otherwise jeopardize your privacy and security. Make sure that your security software and your operating system are up-to-date.
Think critically
If something seems too good to be true, it's almost invariably too good to be true. Think about what you're about to do on any site you visit, especially if it's a site you don't already trust. Never use the same password on an unknown site that you use for e-mail, banking, or other sites where security is essential.
The U.S. Department of Homeland Security's National Cyber Alert System has additional tips to help you avoid phishing and other social engineering attacks, and ConnectSafely.org has tips to create an manage strong passwords.
Payroll processor PayChoice said Thursday it is investigating a breach in which customers received targeted e-mails purporting to be from the company but were designed to trick people into downloading malware.
Workers received e-mails last week that directed them to download a browser plug-in or visit a Web site so they could continue accessing the Onlineemployer.com PayChoice portal. Malware in the download and on the Web site turned out to exploit holes in Internet Explorer, Adobe Flash, and Adobe Reader, PayChoice said.
The e-mails were targeted to individuals and included their user names, login IDs, and partial passwords, thus increasing the chance that recipients would be likely to fall for the ruse.
In a statement, PayChoice did not say how many people received the e-mails but said most of the employees served by PayChoice do not use the portal. PayChoice, based in Moorestown, N.J., provides payroll software and services to 125,000 businesses.
"Within hours of the attack, the company notified its clients, shut down the site www.onlineemployer.com and deployed further security measures to protect client information before restoring access to the system," the company said in the statement. "PayChoice also immediately notified the authorities and is working with federal law enforcement to find those responsible."
The company confirmed a report on The Washington Post's Security Fix blog that the malware downloaded a Trojan horse dubbed "Bredolab," which tries to put additional malicious files on the system and to disable host-based intrusion prevention sytems, according to Microsoft's Malware Protection Center.
"PayChoice discovered a security breach in its online system on Wednesday, September 23, 2009," PayChoice Chief Executive Robert Digby said in an earlier statement. "We are handling this incident with the highest level of attention as well as concern for our clients, software customers and the employees they serve."
The company has hired two forensic experts to investigate the breach, Digby said.
The e-mail was sent through Yahoo's Web email service and the Web sites linked to in the emails were hosted on servers in Poland, according to an e-mail PayChoice sent to customers after the incident that was obtained by Security Fix.
The PayChoice portal displays this warning about the social engineering e-mail.
(Credit: OnlineEmployer.com)
