Monday, May 30, 2005

Email Security Part I - Gone "Phishing"

Phishing for your personal info that is.

For those of you who use email, which is practically everyone who actually uses a computer and surfs the internet, "phishing" (pronouced "fishing") is the term used to describe emails that are sent out by individuals, whom I shall politely refer to as scumbags, bottom-feeders and the like, who are trying to steal your personal information.

These dirtbags send out phishing attacks, which are emails that look exactly like legitimate emails that could be sent out from your bank, or businesses that you deal with. Very often, they target users of Citibank, Paypal, or eBay, since there are thousands of people who have accounts with these larger well-known companies. It's incredibly easy for anyone to recreate or copy a legitimate email message, add a bogus link or malicious code and send it out to every single email address they can come up with (also called "spamming").

The intent of a phishing attack is to lure you into clicking on their bogus email links, or filling out a form to steal your username and passwords. If you follow the instructions or links in these phishing emails, they will take you to a bogus or fake website forged to look like the real thing, but exist solely to steal your personal and confidential information.

For this to work, all you need to do is enter your username and password into these bogus forms or follow the link to their websites, click on the submit button, and your personal info will be instantly sent out into the internet for these criminals to use. They will quickly change your passwords, empty out your bank account, steal your identity, and wreak havoc with your life. And no, I'm not exaggerating. Try it if you dare (no, don't - I'm serious).

Phishing emails use social engineering to try to trick you to let your guard down. The email messages try to create a sense of urgency. They will state that your account has been compromised, or that they have experienced a security breach and you need to confirm your credit card info, or SSN or username and password. They may just state that they want you to login to their site to "validate" that you are still a current user. They may state that your account is "frozen" or locked down until you verify your identity.

Just remember: NO legitimate business or website will EVER ask you to confirm your username and password, or any other information through an email link or form.

I cannot overemphasize to you the seriousness of these phishing and other similar attacks. If you let your guard down for just one email, that's all it takes for these scumbags to steal your stuff. NEVER, ever click on email links. Never fill out email forms. If you suspect foul play, open up a web browser and type in the web address of the website you want to check.

"But I have an anti-virus program. Aren't I protected?" Anti-virus programs DO NOT protect you from these phishing attacks because often there isn't any "virus" per-se, only a link or address that takes you to a bogus website.

Since these bogus websites are created every minute of the day and last only weeks, days, and sometimes only hours, there's no way to keep track of them. Your personal info is often sent to a "collecting" email address, where the scumbags accumulate your info. Unlimited free email accounts that can be created in Hotmail, Yahoo or Google, so once a criminal has been sent your personal information, they just abandon that email account, never to be traced.

OK. Now I'm afraid to open my emails. What do I do?

Make sure you have the latest security updates from While Windows XP users can turn on automatic update checking, you should still make it a habit to visit Microsoft's Windows Update website to download the latest security patches.

To get to Windows Update: Click on Start, All Programs, Windows Update. Or, if you are using Internet Explorer, you can also get there by clicking on the menu bar "Tools, Update Windows". Once there, just click on "Express Install" and follow the directions. Having the latest security patches is just the bare minimum. There are still many unpatched and unknown vulnerabilities in Windows and Internet Explorer.

Install an anti-virus program and make sure that it regularly loads updated virus definition files.

Install an up-to-date firewall program.

Trend-Micro PC-cillin, and Zonealarm sell highly rated security software suites that are relatively inexpensive, and all have "competitive upgrade" rebates if you own previous versions or a competitor's product. Check techie websites like,, or to read the various reviews on the many different security products.

DO NOT click on any links or attachments in your emails, no matter who it's from. Just delete suspicious emails. If you want to follow a link, open up your browser and type in the internet address instead.

Last of all, use common sense. Never respond to any email that purports to be security related or asks for confirmation of your personal info. Be afraid and be paranoid :)