Beware the phisherman

This week, I get to write about phishing.

No, the spell-check wasn’t turned off and I didn’t flunk kindergarten. I’m not talking about the kind of fishing that Chuck McGuire and James Robinson get to write about. Unfortunately, I’m not going to tell you about standing at the end of a riffle casting a size 18 Parachute Blue Wing Olive up to the rhythmic rise of an 18-inch Rainbow Trout. I’m talking about the kind of “phishing” where low-life dirtbags fish for suckers without a license. You and I are the potential “suckers” they are fishing for.

WikiPedia defines phishing as, “the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.” If the scammers and identity thieves are successful in getting you to provide this information, then your worst nightmare is about to begin. Your credit cards and your bank account are about to be drained. Credit you did not authorize will be obtained in your name and maxed out. Using your personal information, fraudulent checking accounts will be opened over the Internet and drug addicts all across the country will be cashing checks with your name on them to pay for their next fix. Counterfeit checks with your name and account number will be written all over Southern California. I have seen all these things happen.

You are especially vulnerable if you don’t scrutinize every request for such information because you think your too smart to fall for some conniving bumbling cyber-nerd’s pathetic attempt to swindle you. Some of these phishing “baits” out there are top notch impersonations. We are not talking about some illiterate Nigerian scammer trying to get you to pay the tax so he can send you title to the pyramid you have just inherited. Some of these scammers and hackers have college degrees and computer skills that would have Bill Gates offering them an executive position.

Phishing e-mails will contain familiar logos, images and language. They will usually contain a link (almost certainly using the image or logo of a trustworthy entity) that takes you to a counterfeit Web site that instructs you to verify your information. The e-mail and site will tell you that it is a “secure server” or give you some kind other assurance that the site is secure and genuine. Maybe there will even be a warning about giving out your information to anyone else. You may have heard to check the address bar and make sure that the address is correct and the site has the “https” in the address. Well, guess what, now “phishermen” are using JavaScript to place an image over the real URL, so it looks like you have the real deal when actually you don’t. Any way you have heard to identify a counterfeit e-mail or Web site, I guarantee you that somewhere in the world right now some cybergeek supervillian has found or is about to find a way to counteract it.

Scammers are notorious for sending out spoof e-mails for “PayPal” because everyone seems to have an account and if they gain your username and password, they own you. The first thing that will happen is they will change the password so you will be locked out of your own account. So if you go to log in to PayPal or any other account and find that your password suddenly doesn’t work — big, red flag. Immediately contact the security department and find out what’s going on with your account. Also, alert any banks or credit card companies that you have affiliated with the account. A far as I know, neither PayPal nor any other reputable company will ever send you a legitimate e-mail asking you to provide personal information or reset a password. If you want to check your account after receiving such an e-mail, don’t use any links provided in the e-mail, manually type in the address of the site in your address bar to ensure you end up at the legitimate Web site.

There another type of phishing I need to mention: “Spear Phishing,” which is just like “Spear Fishing.” When you are fishing, the vast majority of the time you are looking to catch any fish that might bite. But if you are a spear fisherman, you check out the fish first, size him up and decide that your gonna try and nail that particular fish, or maybe you found a nice looking school of fish that you have decided your going to fire your spear at. Are you following me? With “spear phishing,” a certain individual or select group is the target.

Hackers have been known to hack into a company’s server and get into the e-mail system. From there, they send out e-mail to company personnel, such as, “To all employees, the finance department needs to update your personnel files, reply to Betty in the finance department ASAP with your social security number, date of birth and home address so we can update our records and ensure your payroll will be processed by Friday. Thanks! ” If you reply, the hacker has your e-mail diverted to him. If you get such an e-mail, don’t reply. Get up and walk yourself to Betty’s desk!

Simpler spear phishing attacks might use information found on social networking sites such as Facebook or MySpace, to try to convince the victim to supply the desired information. I must admit that I have not yet or am I likely I’ll ever join the MySpace or Facebook craze, but if you have, my suggestion would be to correspond only with people you have a personal relationship with or know from outside the Internet.

The most despicable form of spear phishing I have seen didn’t directly involve an e-mail or even a computer, at least in the execution of the scam. However, odds are that the scammer did use the Internet to find out information on the intended victim and her sister.

A phone call was placed to an individual in town, who was a financially successful business owner, I’ll call her Jane. The caller was a woman who claimed to be an emergency room nurse at an out-of-town hospital. The caller told Jane that her sister was involved in a bad traffic accident and that she needed to be flown to another hospital for emergency surgery to save her life. The “nurse” said there was a problem with the Jane’s sister’s insurance covering the air ambulance flight. Jane was told that she needed to provide a credit card number right away so that her sister could be flown to the other hospital. The “nurse” knew Jane’s sister’s name, where she lived and what type of vehicle she drove. You can imagine Jane’s panic when she heard this news. Fortunately, someone got on the phone right away and was able to quickly learn that Jane was just fine and there had been no accident. I am aware of one other local resident, a senior citizen, receiving a similar call. In that case, the man was instructed to send money by wire. When the man went to his bank, a sharp bank teller thought something was wrong and called another family member who looked into the situation and learned that the family member in question was fine.

Children and teens on the Internet should be educated, monitored and taught to be wary of all types of Internet identity thieves, scams and predators. Just last weekend I read a news article about a 16-year-old girl who left her house one night to go meet someone (supposedly another teen) she been talking to online. Her body was later found in an empty house; she had been raped and murdered.

Here are some ways to help protect yourself from Phishing scams:

1. Disregard any unsolicited e-mails you get from any entity asking you to provide banking, credit card or personal information, especially if they threaten to suspend, close or deny access to your account. If you want to be sure, telephone your banking institution or whoever purportedly sent the e-mail and inquire. Or, close your browser, reopen it and manually type in the Web sites address and log in to your account. If there is a problem with your account, you will find out when you log in.

2. Never disclose financial or detailed personal information on a social networking site or over the telephone and don’t trust anyone you don’t know personally.

3. Using the latest version of popular web browsers can help protect you. These browsers have features built in that help identify counterfeit Web sites and warn you.

4. Monitor your accounts frequently. Most of the time if your account shows a pending transaction that is unauthorized, you can notify your bank and stop it before the account is actually debited. Watch for small, seemingly insignificant charges you don’t recognize. Frequently, criminals will run a “test” on your credit card or bank account. This is a red flag that a bigger hit is coming.

Next time I’ll try to answer the question “Who is doing this?” I think you’ll be surprised.