Phishing: How not to get hooked online (News Feature)
By Andy Goldberg Oct 7, 2009, 2:22 GMT
San Francisco - Joe Wilcox was not having a good day. As news filtered through Monday that thousands of Hotmail passwords had been compromised by what appeared to be one of the largest phishing scams in history, the tech pundit for the website Betanews.com was frantically trying to cover his digital tracks.
Embarrassingly enough for someone who makes his living preaching about the intricacies of the digital age, Wilcox had made a number of common errors that exposed him and his plethora of online accounts to the evil designs of the anonymous scammers eager to steal his identity and money.
Wilcox figured that he had around 40 online accounts, and many of them, including his Hotmail account, shared similar passwords. Therefore instead of spending his valuable time thinking about all the wonderful ways the digital age could be improved, he spent four hours scouring the web to change all his account passwords.
But his time was not completely wasted.
As he was trudging from site to site Wilcox had a flash of insight: As people increasingly shift the focus of their lives to the web, they are ever more overwhelmed by the account access info for their Twitter, Facebook, bank, credit cards, forums, emails and the like.
'MY GOD! Where did all these freaking accounts come from?' Wilcox wailed. 'The weakness of the social Web is simply stated: You are too many places.'
So what can you do to manage your online identity safely and conveniently, without needing a degree in computer science? The most important step is to have a firm grasp of what phishing is and how it is perpetrated. Usually, a phishing email will have a fake story that's designed to lure you into clicking a link or button in the email or calling a phone number.
The email and the links it contains purport to be from a trusted company. In reality this information is spoofed and you will send your information to a dummy website that may look exactly like your bank's site, but in reality is just a front set up on the criminals' server.
Many scammers prey on people's fears of online security. Their fake email will likely say your account may have been compromised and offer you a link to correct the situation.
There is no easy way to tell the difference between legitimate and fraudulent messages. But a number of easy steps can drastically reduce the risk. Bear in mind: reputable companies will never send you unsolicited emails asking for your key information. If you do have a problem in your account never follow an embedded email link to fix it. Instead open a new browser window, key in the address of the relevant site and go from there.
Another major vulnerability faced by many web users is that they use the same online IDs and passwords across numerous sites. This system is convenient, but if the details of one account fall into the wrong hands, all that person's accounts may be compromised.
Many people who use different passwords for each site utilize programs like Roboform or Keypass to keep track of all their information, with one master password giving them access to their data. Others keep a list of all their different log-ons in a separate file, or on a piece of paper next to their desk. Obviously all those methods can also be hacked or copied too.
'There is no fail-safe system and if someone is really determined they will get your identity,' says online security consultant Tim Mullan.
He points out that the real world is also full of vulnerabilities - someone can steal your mail, or the friendly waiter in the coffee shop can help himself to your credit card details.
Mullan is confident that a better solution is on the way when biometric identifiers become standard. Until then 'the best thing you can do is make yourself a hard target,' Mullan says. 'Don't click on any links in unsolicited emails, be eternally suspicious and please, please, don't use one username or password for all your accounts.'