Washington Apple Pi

A Community of Apple iPad, iPhone and Mac Users

Don’t Do It:

There’s Something Phishy About E-mail

© 2006 Lawrence I. Charters

Washington Apple Pi Journal, reprint information

Acidic Fishing With a High pH

Last year I wrote a lengthy, three-part series on computer security for Washington Pi Journal. Within a week after publishing the final piece, several Washington Apple Pi members – fairly prominent Pi members – created a minor tempest by responding to a series of fraudulent E-mail messages. No harm was done, but the fact that Pi members were so easily taken in by a scam is a sterling illustration of this very base crime. By definition, user group members should be better informed than the general public. Shouldn’t they?

“Phishing,” the crime in question, is a form of Internet fraud aimed at stealing valuable information, such as credit card numbers, personal information numbers (PIN codes), social security numbers, and computer user names and passwords. In its most common manifestation, a forged E-mail message, from a bank, insurance company, government agency or some other impressive institution, complete with institution logos, is sent to a user. It insists that you take some immediate action, and even includes an embedded link to an equally fake but legitimate-looking Web site. Once there, you are requested to enter all kinds of confidential or private information.

And with that information, your bank account and checking account can be emptied, your credit card used for fraudulent purchases, loans can be taken out in your name, and an almost endless number of other criminal activities can be undertaken – using your identity. Shown below are selections of 22 very official-looking E-mail scams sent to the Washington Apple Pi Webmaster E-mail address in a single day.

Phising come-ons

Within a single day, 22 “phishing” E-mail messages were sent to webmaster@wap.org, informing me that my CitiBank bank account, Amazon.com account, Second Bank & Trust account, eBay account, PayPal account, Chase account, and West Coast Bank accounts were compromised, in need of updating, displayed unusual activity, were inadvertently revealed, or in some other fashion needed my immediate, personal, and very private attention. There were 11 alleged messages from PayPal and six from eBay, showing exceptional concern. Except that “webmaster@wap.org” is not a real person, just an alias, and the Pi Webmaster has no account with any of these firms, has never visited any of their Web sites, or sent E-mail to any of their Web sites. On average, webmaster@wap.org and maceditor@wap.org receive several hundred such messages a month; fortunately, Apple’s Mail program filters virtually all of them into the Junk folder, where they are periodically given a quick glance and then flushed.

What Should You Do?

What can you do to prevent yourself from becoming a victim? The short answer is: don’t even read E-mail that comes from someone or some institution you don’t know personally. Financial institutions rarely send out E-mail, and if they do it is usually under the name of a specific representative responding to a specific request from you. All other messages should be labeled in your E-mail client as “junk,” either automatically or by you, so that your E-mail client knows how to handle them in the future. Apple’s Mail program in Mac OS X does a very good job of filtering out such junk.

Thunderbird 1.5, a free E-mail client from the Mozilla Foundation, has added a new twist: when it receives a message from a suspicious source, it prints a banner above the message: “Thunderbird thinks this message might be an email scam.” (See illustration below.) It guesses wrong every now and then, but for the most part it is appropriately paranoid.

Thunderbird is appropriately paranoid

Thunderbird thinks this message, allegedly from Wells Fargo, is a scam, probably because neither the message nor the Web links embedded in the page actually came from or go to Wells Fargo.

As you might expect, financial institutions and online merchants don’t take kindly to having their names associated with such frauds. Check the Web sites of your financial institutions and you’ll probably find links right on the front page alerting consumers to fraudulent E-mail messages. Most institutions have tutorials on how to protect yourself from such scams, and information on how the institution legitimately contacts its customers. Check out the resources at the end of this article for more information.

Phishing is the most common form of fraud committed in the United States. It is difficult and expensive to investigate, in large part because it takes specialized skills that few police forces have. The only real defense is: don’t be sucked in. Similar scams are attempted over the phone and by fax, hundreds of thousands of times every day.

Keep your private information to yourself. Don’t even read phishing E-mail messages. Don’t respond to telephone messages or fax messages requesting personal information unless you know it is directly related to something you’ve requested. Even then, be stingy: give out the minimum amount of information requested, and never via E-mail or over a wireless telephone.

The only thing you have to fear is: yourself.

Resources

Thunderbird:

http://www.mozilla.com/thunderbird/

U.S. Department of the Treasury, Office of Critical Infrastructure Protection and Compliance Policy: Identity Theft Resource Page:

http://www.treas.gov/offices/domestic-finance/financial-institution/cip/identity-theft.shtml

Chase Fraudulent Emails:

http://www.chase.com/cm/cs?pagename=Chase/Href&urlname=chase/cc/privacysecurity/reminder

Citigroup Citi Identify Theft Solutions: Email Safety:

http://www.citibank.com/us/cards/cardserv/advice/safe_email.htm

Second Bank & Trust: Internet Fraud Warnings:

https://www.secondbank.com/onlineFraud.asp