Security

Thwart the Three Biggest Internet Threats of 2007

Threat #2: Phishing and Identity Theft

You've probably seen your share of phishing attacks, which look like communications from your bank, PayPal, eBay, or another online account. The message may ask you to click a link that leads to a bogus Web page, complete with realistic user-name and password log-in fields, or it might ask for a credit-card number. The fake address often resembles the real institution's URL--'citibank.fakesite.com' in place of 'citibank.com', for example. The phisher's site and e-mail message may even load images from your bank, or have links to the institution's own Web site.

When you take the bait, the phisher harvests your data, and either sells it to someone else, or uses it to drain your account right away. A variant called spear phishing identifies you by name in the lure message or Web site, making the sham even harder to spot. Typo-squatting is a related trick in which phishers set up a fake site at an address slightly different from the real one ('www.amazom.com' instead of 'www.amazon.com', for example) in hopes that fast-typing customers will land there and not notice their typo.

You may have read that your bank will never send you an e-mail asking you to log in to your account, and it shouldn't, though it does happen on occasion. The vast majority of messages that appear to come from financial institutions are phishing attacks, so assume that such messages are bogus and avoid opening them at all, let alone clicking any links they contain. If you are concerned that the bank or other service is really trying to notify you of a problem with your account, open your browser manually and log in to the site directly, or better yet, pick up the phone and call a customer service agent (if you can find one via the bank's automated phone system).

The place you're most likely to notice that your credit card or bank account has been compromised by a phishing attack or identity theft is on the statement you receive from them via mail. Check it carefully for unauthorized charges, and report any to the institution immediately.

Both IE 7 and Firefox 2 include new antiphishing settings that can compare links to databases of known phishing sites before displaying the page. (As we went to press, Opera planned to include a similar feature in the Opera 9.1 browser.) IE 7 asks you a couple of times if you'd like to enable its phishing filter during installation; say yes. To enable this feature, choose Tools, Phishing Filter, Turn On Automatic Website Checking, and click OK.

Firefox 2's phishing filter is enabled by default, but it uses a static downloaded list of known phishing sites. To query Google's more up-to-date Phishing Protection service instead, choose Tools, Options, Security and select Check by asking Google about each site I visit (see Figure 2

Figure 2: Set Firefox to use Google's more up-to-date list of suspected phishing sites to protect you as you browse.
). Note that you'll have to accept the service's licensing agreement.

Many firewalls and other security programs include identity-protection features that scan the stream of data leaving your PC for sensitive information, such as passwords or social security and credit card numbers, and then block the unauthorized transfers. For more information on these products, see "All-in-One Security."

Resist the temptation to post personal information on your Web page, blog, or social site (Facebook/MySpace) account. Identity thieves, spammers, and online predators are always on the lookout for such data. Browse to "Safeguard Your Reputation While Socially Networking" for an explanation of the risks to both adults and children, and for tips on what you can do to avoid the dangers.

Subscribe to the Security Watch Newsletter

Comments