Consumer Reports has published its annual State of the Net survey in the September issue of the consumer advocacy magazine. And an article accompanying the review of assorted online threats titled Seven Online Blunders offered this morsel as Blunder No. Five:
According to this year's State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple's Safari, has no phishing protection. We think it should.
What you can do: Until Apple beefs up Safari, use a browser with phishing protection, such as the latest version of Firefox or Opera. Also try a free anti-phishing toolbar such as McAfee Site Advisor or FirePhish.
That's some pretty strong advice there, telling Mac users to switch away from Safari, the browser of choice on the Mac platform by a wide margin. (It mirrors similar advice offered by payment processor PayPal earlier this year.) But is it good advice?
In a macro sense, sure it is--it's always good to use tools that offer the most protection for the user. So if you want to switch to Firefox or Opera, then by all means, go ahead.
But if you want to continue using Safari, I think that's also a perfectly acceptable alternative--as long as you understand the risks, and take some simple steps to minimize those risks.
All about phishing
Just what are those risks? Phishing is, according to Wikipedia, "the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication." Putting a different name on it, phishing is lying, and typically this lying is done via e-mail or instant messaging. As an example, here's an actual phishing e-mail I received this morning, though I've modified it enough to remove any phishing threats.
We were unable to process your payment. Your ads will be suspended soon unless we can process your payment. To prevent your ads from being suspended, please update your payment information.
Please sign in to your account at http://adwords.google.com/select/login, and update your payment information. We look forward to providing you with the most effective advertising available. Thank you for advertising with Google AdWords.
Now, this is a grossly oversimplified example, but if you click the above link, you'll find you wind up on Apple's website, instead of what the link appears to show, which is Google's AdWords login page. That's because a hyperlink can have any text associated with it you like--in this case, I associated the AdWords login page URL with a hyperlink to apple.com.
In the real phishing e-mail, the URL actually pointed to a site named to confuse the user: http://www.adwords.google.com.xxyyzz.cn/select/Login. Notice that although the first part of the URL looks correct, it ends in xxyyzz.cn, instead of google.com.
When looking at a URL, the most important bits are at the far right of the URL--it's the end of the URL that tells you who owns it, not the beginning. In this case, the domain is "xxyyzz.cn," and everything to the left of that is a sub-domain on that site. So one key anti-phishing tip is to always read URLs from right to left to determine their ownership. If the right-side of the domain isn't what you expect it to be, then you're not on the page you think you're on!
If you were to load the above phishing page--though I've altered the URL to prevent you from doing that--you would find that the details it asks for could include things such as your name, social security number, credit card number and expiration date, and even potentially your bank account and bank routing number.
And this is where you should use the best anti-phishing tool available, one that's accessible to everyone regardless of what browser they use: let common sense be your guide. If you ever wind up on a website page that asks for such highly confidential information without requiring you to first login, do not provide it! Any legitimate site that needs this information will only request it after you have logged in, not before!
So how do you avoid getting sucked in by a phishing scam? According to Consumer Reports, the best way to avoid them is to use a browser with anti-phishing protection built right in. However, this is far from an ideal solution, because the criminal element is large, and it moves very quickly. Given that criminals, too, can run Firefox and Opera, clearly they'll know as soon as one of their phishing sites is blocked by those browsers' built-in tools. So what do the criminals do? Quickly create another site, of course, and link to that in their current round of phishing e-mails.
The anti-phishing tools in Firefox and Opera will spot this new page, probably sooner rather than later. Until they do, though, those using Firefox and Opera may be more susceptible to a phishing attack than those using Safari, due to a false sense of security. "Firefox didn't flag this link, so it must be OK to use." That's a very dangerous mindset to have, and I suggest you avoid having such thoughts, even if you are using Firefox or Opera.
How to avoid phishing scams
So what's the best way to avoid phishing scams? Don't even take the first step of clicking the link in the e-mail or message you receive. While that may sound difficult, it's really incredibly easy--and by doing so, you'll be protected from the vast majority of phishing scams, regardless of which browser you choose to use. Here are my three rules for working with links in e-mails or chat messages:
Should Safari have anti-phishing features? Sure, it should. Should you stop using it today because it doesn't? Not at all--as long as you're willing to exercise "safe clicking" practices. Even if you use an anti-phishing browser, however, these practices are recommended--there's just no way any one browser can keep up with the scope of malicious activity out there on the web. So regardless of browser choice, you'll be much safer and happier if you exercise safe browsing techniques.
This story, "How Sound Is Consumer Reports' Safari Advice?" was originally published by Macworld.