Go to Windows 7 Insider Guide
Community Newsletter: Q&A: 6/24/05 How to recognize and avoid phishing scams
- 6/23/05 5:37 PM
Why do the banks make it hard to be a "Good Guy"
by lodave - 6/24/05 10:56 AM In reply to: Phishing scams - the companies aren't helping by geodoschWhat drives me to distraction is when one tries to report an attempted identity theft, the banks involved make it very difficult to find a simple, normal email address to which to forward the offending spam. Often they want you to fill out HTML forms, then to add insult to injury, the forms are often character limited, so when you try to copy/paste the neccessary information it won't fit!
If all the affected finacial institutions would simply establish a standard "spoof@bankname.com" or "Phishing@bankname.com", they'd get a great deal more feedback on a timely basis. No doubt many folks just give up and delete the spam.
There is an organization, clearing-house, as it where, collecting phishing spam. Be sure to copy/paste the FULL HEADER when forwarding the email:
Send to: Phishing <reportphishing@antiphishing.org>
Links in email
by JohnSP - 6/24/05 9:02 AM In reply to: Phishing / Spam by ruffflamSpammers often embed html links in the emails, so that opening the email creates a link to thier page and they can track how many people are actually viewing their emails. (Actually the cnet emails also do this)
One thing aol has added to their emails, and that is a feature I really like, is that you can turn on an option to block all email links until you click an "ok" icon at the top to allow the links to proceed. Some emails come without the pictures, as they are links to the spammer sites to get the pictures (so the spammers can track their email hits), once I click ok then the images come in. Thats one of the best email features ....
Fake emails
by Weasellady - 6/24/05 8:25 AM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
I have had loads of these Phishing scam emails and to recognize where it's from you higlight the sender, right click, then properties and it will give you the true address or sender unknown. If it's from a genuine company it will show up in the properties.
Phishing
by granville1 - 6/24/05 11:15 AM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
I haven't had any phishing messages for quite a while. Maybe they gave up on me<g>.
I used to just go to the header and read the weird addresses listed there and know it had nothing to do with the purported sender.
Big Thanks
by Dr Juice phD - 6/24/05 11:35 AM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
Thanks to everyone who chimed in on this topic. I thought I should just give everyone a little update since I sent this question in last month.
I'm using OS X 10.4.1 and I've taken full advantage of the security features it offers. Built-in Firewall and something called Stealth Mode (hi-tech sounding isn't it). Stealth Mode "Ensures than uninvited traffic receives no response -- not even an acknowledgement that your computer exists." Just for physical security I've turned FileVault on, which encryps the entire contents of my ''Home'' folder (the equivalent of C:\Windows or WINNT,Program Files, and the various ''My'' folders on Windows machines). FileVault decrypts these contents on the fly as I need them with no noticeable slow down.
As for the phishing emails, They've slowed significantly. I still get a few from supposed Banks that I'm a supposed customer of (but I've never heard of them) but the PayPal and eBay ones have pretty much stopped.
I should also mention that I use Googles GMail service, which has it's own phishing protection. Basically, any email from PayPal, eBay, or financial institution has the links in it disabled. In other words, if the text of a link says its to the page ''https://www.ebay.com/login...'' then that's the text that will be displayed. No more linking to ''http://206.54.234/kill.everyone'' or whatever. If anyone out there is looking for a new email provider I'd encourage you to check it out, it's free.
I've also set up some ''Rules'' in Apple's Mail.app to try and sort out suspicious looking emails. Rules are just ''If-Then-Else'' statements that can be used to automatically organize your inbox. I have them set to flag any suspicious email in Red.
As a final point I'd just like to ask, is there anything that eBay and PayPal can do? Who not change the login rules so that our email addresses are kept hidden and we create our own login name?
How we stop phishing and spam dead in their tracks
by eric_d - 6/24/05 1:21 PM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
How does Zaep stop phishing and spam? Easy, 99.9% of spam and (to the best of my knowledge) 100% of phishing is sent from bogus or otherwise uncheced email addresses that will never respond to a Zaep challenge message! Your friends (who are not already on your whitelist) simply have to respond to the email from Zaep in order to add themselves to your Zaep whitelist.
All the Best,
Eric & Genieve
http://www.zaep.com
Does reporting phishing attempts to "Abuse" help?
by dddiam - 6/24/05 8:27 PM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
I usually forward the phishing emails that I receive to "abuse@paypal.com", "abuse@SOMEBANK.com", etc. (whichever business in which they are phishing for account information).
I include an explanation, the orginal email header, and the original email heading and text.
Since I never receive more than an auto-response from such messages, I have no way of knowing whether the abuse teams actively pursue the phishing origins or not.
Does reporting phishing attempts help, or am I just wasting my time?
Am I reporting the attempts to the appropriate organizations?
- David
Reiterating Joseph V.'s reporting suggestions
by dddiam - 6/24/05 8:49 PM In reply to: Does reporting phishing attempts to "Abuse" help? by dddiamI should have read all of the threads before posting my question.
It sounds like "abuse@..." might not always be the appropriate organization to report phishing to (e.g., Joseph V. suggests "spoof@ebay.com" rather than "abuse@ebay.com").
Joseph V. lists the following organizations to report phishing to:
6) There are groups you can report phishing or spoofed e-mails to:
a) Forward the email to reportphishing@antiphishing.com
b) Forward the email to the Federal Trade Commission at spam@uce.gov
c) Forward the email to the “abuse” email address of the company that is being spoofed (spoof@ebay.com) is an example
d) When forwarding spoofed messages, always forward the entire original email with the original header information. You can do this by using the forward option of your email client.
e) You may also want to notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website which is http://www.ifccfbi.gov/
I would like to augment Joseph's Item "d", above. Forwarding the message might only include the orginal message's "pretty" heading (which is itself a spoof), rather than also its detailed, internal header. But most email clients also have an option to display the detailed, internal header, which can be highlighted, copied and pasted into the text of your spoof report.
- David D.
I got Phished
by leelaw33 - 6/24/05 8:29 PM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
Before I was aware of Phishing, I got one of them from PayPal and opened their link and furnished the info requested. Fortunately, within an hour, I became aware of what I had done and was able to contact both Pay Pal and EBay to change my login and passwords before any damage was done. They both suggested that I contact my credit card bank immediately which I did. Thanks to their 24 hr. customer service, they checked and nothing was charged, but they immediately closed that account and within 10 days, I had received my new card which I then logged into Pay Pal directly and updated my information. Pheewww, I lucked out. Now, everytime I get one, I automatically forward the entire fake emails directly to spoof@paypal or ebay, which they immediately reply to me and confirm that it is a fake.
Use tools to know where your data goes
by yoramn - 6/24/05 10:57 PM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
The phishing problem becomes more sophisticated and personalized. After I lost an auction in eBay I received a phing email with a "second chance" to buy at the price I bid. The message did not send me to eBay and accordingly I suspected it and looked for a tool to know if it is OK to proceed.
I found a new tool - CallingID. This tool told me that the site I was sent to is "high risk" and I did not proceed.
CallingID told me where I am. Not only the name of the site but who owns it and it added risk assessment
I recommend trying it at www.callingid.com
What little knowledge i've got to share with you!
by jonboy - 6/26/05 5:41 AM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
In all honesty, I know very little with all this computer stuff. I'm a woodcrafter which is why, at some times, I want to carve a new face to my p.c.! Nonetheless, that which i've seen that has beeen most usefull in ovoiding scams online/email is the use of Firefox email service. On top of that, I just won't respond directly to any email that relates to personal information. Instead, i'll go to that individuals homepage to verify whatever it is that email spoke of.
Common Sense
by WendiLee - 6/26/05 12:06 PM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
Common sense is the best solution. Keep track of who you do business with and never give out personal information by email. When I get an email by a business that I do business with and I don't know if it is legit I always send back the email to thier spamming department. They will let you know that it was legal or not.
I got 7 out of 10 on the pishing IQ test.
Digital Signature. Use Them!
by ChrisRM - 6/27/05 3:51 AM In reply to: 6/24/05 How to recognize and avoid phishing scams by Lee Koo (ADMIN)
Everybody seems to have picked up on the trivia and no one on an attempt at a solution.
I would like to pick up on a phrase used once in passing by one of you respondents and that is DIGITAL SIGNATURES.
If we, the end user, take it upon ourselves to make it much easier to recognise a dangerous email then the point in generating these emails also reduces. If nobody ever falls for a phishing attach then there will be no point in creating them. Bonus, the internet gets back a bucket of bandwidth currently wasted on spam/phishing email.
Surely digital signatures would go a long way to reducing this problem, after all
the spammer/phishers whole purpose is to be anonymous, so they would not use them. If everybody got a digital signature thus proving who you are, anything arriving in your inbox without a signature could be considered suspicious instantly.
Of course all the legitimate email from companies/banks etc would also have to come with a digital signature as well. Come on online retailers get your act in gear.
I cant count the number of times I have been asked to put information in an email that should be secure, and when I asked for their digital signature, have been told, “Duh, whats that”, and have gone else where because of it.
As an aside you can also use a digital signature to login to web sites, this would be a great enhancement and a great way to reduce the multitude of userid/password pairs that we have to remember. You can also encrypt email when you have a digital signature, or rather if the recipient has a digital signature and you have their public key. So nobody else can read your arrangements for the family get together next sunday at mothers house. Not even your mother if its supposed to be a surprise, and we all know if anybody is going to hack into a family secret its gona be your mother.
What are the reasons that we don’t do this:
1. A misguided requirement for anonymity while on the web.
2. WebMail does not recognise signatures yet, but it could with some effort from ISP's etc.
3. It is not always simple and straight forward to setup and use a signature in your email client. Some good “home user” targeted documentation could solve this.
4. Email arriving in your inbox containing a digital signature looks a little scary the first few times because the messages it gives instil fear rather than security. Well outlook does anyway.
6. Oh yes of course “COST”. Well “FREE” digital signatures are available, I know CACert.org provide them and I believe that Verisign have also started supplying them for home uses as well.
One possible drawback would be an increase in Taxes, as government would have to invest in a lot of big iron so that they could decrypt that email about the family get together next weekend. Or maybe they would just give up under the pressure and do a little research on who's email to try and crack.
Of course there may be some drawbacks I have not considered. Maybe this would make a good discussion in its self.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
