Casting a Line
Whether it is coming from eBay, PayPal, Amazon.com or your local bank – or just as likely a bank from another part of the country that you may have never heard of – the message is the same. Someone has attempted to access your account, and you must respond immediately or else your account will be frozen, suspended or even canceled. On the surface this e-mail looks convincing, often with official sounding descriptions of the problem, logos from the company or bank, and a convenient link to help you get things sorted out. The problem is that the link doesn’t take you to the actual site; it takes you to a Web site that has one sole purpose, to get as much information from you as possible.
This is called a phishing scam, because the senders are “fishing” for as much personal information as they can get. That “convenient link” takes you to a site that also appears to be the real deal, and here you’re asked to answer all sorts of highly personal information. This should be the first red flag! “Is somebody asking me to confirm my account detail including username, password and credit card info,” asks Shane Coursen, Kaspersky Lab, senior technical consultant, “if so, this is the first and most obvious sign that the e-mail is a fraud.”
Instead of replying or clicking on the link Coursen says the best thing to do is to forward the e-mail to the abuse department of the Web site that this supposedly came from, and more importantly do not click on any link. If you do nothing else, ignoring and deleting is the right course of action. “Another thing I always recommend is setting your e-mail reader to open all e-mail in text only. HTML sites might be more convenient, but the URL links are hidden. In text only mode, I can see if the URL points to the actual site, or if it is taking me to a suspicious or unknown location.”
Hook, line and sucker
Another popular scam is a message from a user on eBay, often claiming to have won an auction that you probably didn’t even run, or a user from PayPal saying that money was sent. In these cases the e-mails may look just like the real ones that you’d get from legitimate users. Again, don’t click on ANY of the links. Instead, open a new browser window and login to directly to the eBay/PayPal Web site. Any legitimate message you received in e-mail will be available on your user pages as well.
“Targeted attack are particularly dangerous,” says Coursen, who says you can still protect yourself by increased awareness that such threats do exist, and that you should place a healthy does of skepticism into every piece of e-mail. One thing to be aware of is that most sites will also never contact you with the greeting, “Dear user,” or even simply call you “customer.” If you get any correspondence through e-mail with the opening, “Dear PayPal User,” you can be 100% certain that it is not legitimate. But that doesn’t mean that if they do call you by name or your account ID that it is legit either, “I’ve seen some semi-personalized emails from phishers. This is because, in many instances, user account names match closely to the e-mail address.”
When opening your e-mail be skeptical, and never click through a link. No bank or service is going to really limit your access if you don’t respond. And credit card companies are more likely to call you if there is a problem. And no matter what you do, never give out any personal information. You don’t want to become that big catch for the phishers.