Who is Phishing for your passwords?

2010 June 17
by J Storlie

More importantly, what is phishing? There are a few ways internet scammers can steal your passwords, and that’s what phishing is all about. Just like real fishing, all they need is the right trick bait for the right kind of sucker fish.

Email Phishing Scams

Chances are, you’ve gotten an email from First Anytown Bank, alerting you that your account security has been compromised. In order to keep your account from being closed, or to keep your pending transactions from being sent back, it’s important for you to click here to log into your account right now.

The main problem with this scam is that it’s sent out to millions of people and only a small fraction of them will actually have an account with First Anytown Bank. The few suckers that fall for the trick end up being directed to a website that may look identical to the bank’s website. Hopefully they’ll notice in the address bar, that it’s not their normal bank website and close the page. If they proceed and enter their banking information, it gets saved in the scammer’s database and then they’re usually directed to their bank’s real login page, and feel much better once they see that their account is fine. Until a few days later when they see that all their money has been transfered to Dubai.

Text Message Phishing Scams

I recently got a text message telling me that my (nonexistant) account at the local credit union had been compromised and that I needed to verify information by calling an 800 number. I felt snarky and planned to call and give them a piece of my mind. However, the entire call-in process was automated, and quite impressive.

I was instructed to verify the last 4 digits of my Social Security number. The computer repeated them back to me for confirmation. While I waited to see if my SS# matched the phone number on file, I listened to a legal warning about the dangers of submitting fraudulent information. Never laugh with coffee in your nose, it’s painful.

Once their “security” system decided my phone number and bogus Social Security number were correct, I was told to enter my 16 digit bank card number. The numbers were accepted, even though I made them up. My expiration date and even the 3 digit (made up) security code on the back of my card were verified. Boy, was I relieved.

The system then thanked me for verifying my information, assured me that the credit union takes security VERY seriously, and gave me the (real) phone number to the bank’s security office. Imagine that. I wonder how many people fall for that scam. You bank will NEVER ┬ásend you a text message to verify your account, nor will they EVER ask you to input your debit card information over the phone. EVER.

Facebook Phishing

If you’ve ever accidentally spelled facebook wrong when trying to log in, you may have come across a page that looks exactly like facebook. Hopefully, you noticed before actually trying to log in. If, however, you were to enter your real email address & password into their fake login boxes, it would end up stored in their database and you’d be redirected to the real facebook to try logging in again. If this sounds familiar, go change your password right now. Phishers have been known to steal facebook accounts with the intention of blasting your family & friends with viruses or advertisements.

Any time you ever see anything posted from you, that you’re not sure about, go into your application settings and disallow access to the app. After that, change your password. Also, if you click on an application that seems to do nothing, or you visit a page that seems to do nothing… do your friends a favor and remove it from your profile. Just because 3 of your friends “liked” something with a cool title, doesn’t mean you need to perpetuate the potentially fraudulent application.

Other Facebook Phishing Attempts

See our facebook widget on the sidebar? It pulls information from our Facebook page automatically. When someone visits our site, they can “like” us from right here. It’s a good thing we’re the nice guys because if we were bad guys, we could use a corrupted widget that steals passwords. Just to be safe, when you’re visiting a site you “like” but don’t “trust” log in to Facebook from a different tab or window, then reload the page you’re on before clicking that “like” button. Or, when the login pops up, make sure the URL in the popup window begins with https://ssl.facebook.com/followedbyabunchofrandomlettersandnumbers, for security.

Paypal Phishing Scams

Paypal is a reputable Internet Bank that’s popular for online commerce. Almost daily, I get phishing emails about my Paypal account. “your Paypal account has been closed” or “re: merchant complaint 234567” or “Paypal fraud prevention alert.” Sometimes they’re impressive, using graphics similar to the Paypal website. Other times they’re not impressive, with words misspelled, bad grammar and bad punctuation.

You can help Paypal battle phishing by forwarding each one to spoof@paypal.com. If you believe that you really do need to log in to Paypal, don’t use the link in the email. Go directly to paypal and log in. If your account has any sort of alert status, you will be notified upon login.

Other Phishing Scams

Phishers are opportunistic. There’s been reports of Phishing attempts for every major US Bank, Amazon, eBay, Yahoo mail, gmail, MySpace, etc. If you work for a company who hires internet workers, you’ll likely get scammers phishing for those usernames and passwords, too.

Protecting Yourself From Phishing Attempts

If you fear you’re not observant enough to protect yourself from a phishing scam, there are other ways you can protect yourself. Be sure to take measures to educate your teenagers and the elderly in your life as well.

  • Browser Plugins: Firefox and Google Chrome browser utilize plugins- external applications that work with your browser. Security plugins can stop you from visiting acebook.com instead of facebook.com or usbamk.com instead of usbank.com
  • Your Firewall: your firewall will keep external programs from downloading files from your computer without your knowledge
  • Your anti malware and antivirus programs will keep you from installing naughty programs that look safe.

What to do if you’re a victim of Phishing

Immediately change your passwords on the affected accounts. If your email account is phished, you may need to change every password on every account associated with that email. It’s very easy for a thief to download all of your mail, then search through account information and address book without you ever knowing. Once they know your email password, they can conceivably request password assistance from your bank and other institutions.

Be Sociable, Share!

Comments are closed.