As you may recall, back in January I wrote a post declaring this the year of “fighting back against the black hats. Now it’s mid-October, and I am finally getting around to the second post in the series. So maybe 2012 will be a year of fighting back as well…

What is Phishing?

Simply put, phishing is a form of fraud where someone tries trick you into disclosing secret information (such as your credit card number) by posing as someone you trust (such as your credit card company). In fact, phishing is a form of wire fraud, plain and simple. In my opinion it is unfortunate that the word “phishing” even exists. It’s a gratuitous neologism that, because of its cutesy spelling, potentially reads as something more innocuous than it actually is.

In fact, phishing is the most common form of identity “theft.” It’s rampant on the Internet. And you are a target.

How to Protect Yourself

Munckin card: Curse! Duck of Doom. "You should know better than to pick up a duck in a dungeon. Lose 2 levels."

You should also know better than to open a link in an e-mail message.

The whole point of phishing is that it’s trying to trick you. Contrary to what some know-it-alls might say, it is not easy to defend yourself against.

  1. Don’t click on a link in an e-mail message, even if the message looks legitimate. Unfortunately this is the hardest rule to follow. Even the best of us forget. It’s easy to laugh off the silly Nigerian money-laundering scam but much harder to remember the rule when the message looks like it comes from your telephone company or a relative. And, like the hapless adventurer who picked up the Duck of Doom, our first mistake may have severe repercussions. Phishing e-mails take you to Web sites that may look legitimate, but actually capture your login and/or financial information for purposes of identity theft.
  2. Use software to help you follow rule #1. As I mentioned in my previous post, you really need anti-virus software anyway. You can probably get it free of charge from your Internet service provider so there’s no excuse. Most “anti-virus” software these days is a multi-faceted suite of defenses that also includes some protection against phishing.
  3. Do not trust your own judgment to identify fraudulent messages. Sooner or later, you’ll be tired or distracted and you’ll slip up. I used to take pride in my ability to spot a scam, and I almost got burned today. Only my anti-virus software saved me. If you believe you have superhuman powers and will never be fooled, please carefully read the fairly brief academic paper, Why Phishing Works.

My Lesson in Humility

Today is the day when, after years of vigilance, I finally forgot Rule #1 (don’t click on links in an e-mail message). I would have got burned if not for my anti-virus software.

I received a reasonably official-looking message that claimed to be from my Internet service provider, Comcast:

A fake message claiming to come from Comcast. It includes a link.

This message looks somewhat credible, but it's a fake. There are some warning signs but I missed them this time.

On a good day, I think I could have spotted this as a scam. There were a few warning signs:

The message contains some spelling errors and the dubious sender address, "paywment@comcast.net" (sic)

Like many fraudulent messages, this one contained some spelling errors. Today, the crooks got lucky: I looked right past the errors and did what one should never do. God help me, I clicked the link.

Fortunately for me, my judgment was not the only thing standing between me and the outlaw gang that organized this sting. My anti-virus software kicked in and raised a great big red flag, just like it should:

The warning message from Semantec Internet Security: "Fraudulent Web Page Blocked"

My anti-virus software was more alert than I was, today.

The Take-Away Message

What I take away from this is that the scholars who wrote Why Phishing Works were right:

We also found that some visual deception attacks can fool even the most sophisticated users.

As in all matters of computer security, the odds are stacked in favor of the attacker. They can send a thousand fake e-mails that you easily spot, and then the thousand-and-first comes along and manages to trick you. You need anti-virus software to be there to catch you when your judgment finally does fail.

Since no software is perfect, it would be an epic mistake to rely entirely on your anti-virus program to protect you 100% of the time. Therefore, keep doing what the experts tell you to do: stay alert, and don’t click on e-mail links.