Wednesday, November 18, 2009

A Phew Phishing Phacts

Hopefully by now, everyone who's had an email account for any length of time has not only heard the term "phishing", but actually knows what it is. Almost certainly anyone who's had an email account for any length of time has gotten at least a few phishing emails (for varying values of "a few").

CNET recently posted sort of "phishing primer" article that's worth the read. In a nutshell, phishing is, in its most common form, that scary/shrieking/somber missive in your inbox that proclaims to be from ->insert official organization and logo here<- and tells you to click the embedded link and log in to verify your information now or risk having your PayPal/eBay/CheckFree/Amazon/whatever account shut down.

Alternatively you may be facing an audit (or a refund!) from the IRS, or your bank has just been declared "failed" (I got one of these the other day, which made me smile - I've already given my bank a "FAIL" many times over the years, so I hardly need an email notice about it); the list goes on and on. One of my personal recent favorites is the one proclaiming to be from the email provider itself, warning that the "servers" are due to be "upgraded", so all user account information needs to be verified beforehand. I guess they're not planning on backing up all that "account info" themselves prior to the "upgrade", and in fact have never stored or backed it up at all. C'mon, folks, if your email provider has to email you to provide them with your basic email account information via an email reply...think about it. Have some aspirin handy.

There's a few more phishing facts worth elaborating on:

The warnings to be wary of .exe file attachments are all well and good. Problem is, malicious code can be embedded in .doc files, .xls files, .ppt files, .zip files, .gif files, .pdf files - bascially any kind of file that can have executable code embedded in it. So be wary of any attached file you aren't specifically expecting. And do yourself a favor - turn off the preview pane in your email client. Now. The days when you had to explicitly open an attachment for it to deliver its payload are long gone; just opening the email it's attached to can be enough. The content of the email itself can be enough, if it's got Evile Dancing Bunnies in it and you have your email client set to render .html when you open a message. Guess what the preview pane for your inbox does?

If you feel irresistibly compelled to call a phone number contained in a suspicious email, do not call from your cell phone. Call from a land line you don't care about, or borrow a cell phone from someone you don't like. The scammers will happily settle for a working phone number they can sell off to telemarketers or use for SMS spam if they can't get the goods via email.

If you've clicked on an embedded link and been directed to a website, it's too late to worry about being fooled. Chances are good you already have. Shut down your web browser, kick off a complete virus scan, and go play outside while it runs. If you don't have a working and updated antivirus installed on your computer, slap yourself sharply across the face and then go shopping for one. When you get back, start looking for those restore CDs that came with your computer. You might need them.

Finally, as always, never EVER respond to any sort of spam, even to give the spammer what-for and demand they blot your email address forever from their consciousness. All you're doing is confirming for them that A) your email account is in fact active, and B) you opened their email. Jackpot for them, but no cookies for you. Well, except the ones they may have scattered all over your hard drive while they sold your verified email address to fellow spammers for the highest bid.

Time for me to wrap up a post that's turned waaaay longer than I intended...I need to go check my email. :)

No comments:

Post a Comment