Tis The Season for Some Phishing

The Holiday Season is upon us, and along with the numerous Santa's Helpers, elves, candy canes, decorated Christmas trees, lawn ornaments, sales, wrapping papers and horrific fruitcakes comes a rush of fraud and theft as computer-toting criminals try to secure a little holiday cheer by stealing yours. So, to keep you and your hard-earned money together just a little longer—there is no defense against a doe-eyed three-year old so forget it—we are take a little phishing trip.

Phishing Without a Rod and Reel

What got me on this topic today was an e-mail I received this morning (working URLs have been altered for your protection). It read:

Secure Message Center

Account: Capital One® credit card
Date: 11/28/2008

We'd like to inform you that your secure mailbox has 1 new message.

Please visit Online Banking and select the Message Center tab to read your message(s).

(The message center contains only important information about your account and online banking.)

Important Information from Capital One

Contact Us | Privacy

This e-mail was sent to you and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.

Capital One and its service providers are committed to protecting your privacy and ask you not to send sensitive account information through e-mail. If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.

©2008 Capital One. Capital One is a federally registered service mark. All rights reserved. 15000 Capital One Drive, Attn: 12038-0111, Richmond, Virginia 23238. To contact us by mail, please use the following address: Capital One, PO Box 30285, Salt Lake City, Utah 84130-0285.

09860 025 001

I have included everything in the message, including the fine print. I have even kept the links live. The bottom two, Contact Us and Privacy both go to CapitalOne and are not problems. They are there to add legitimacy to the whole email. The problem is the link to Online Banking. It takes you to an address that is known for being phishing and malware attack site. In other words, if you clicked on that link, and it was not disabled and your browser did not stop you (as Firefox would), you would be taken to a website where you would be expected to put in personal information. When you did, that information would not go to a bank representative, it would go to a thief who would use it to steal your money and identity.

That is how phishing works. You are the one who hands the information over to the thieves because they fool you into thinking that they are legitimate, that their request for information is simply business as usual. The other side of the coin is the attack site. An attack site is a website that plants malware onto your system when you visit it. The troubling thing is that even trusted sites can become attack sites if they have been hacked into.

Don't Get Hooked! Protect Yourself Against Phishing

There are a variety of things you can do. The good folks at StopBadware.org put up this list of precautions:

  • Keep your operating system, browser, and anti-virus software up to date

  • Only download software from websites you trust

  • Be cautious when clicking on pop-up advertisements

  • Be skeptical of offers that seem too good to be true

  • Be wary of clicking links from unknown senders in email and instant messages

  • Whenever downloading or installing software, read the license agreement and policies carefully

The Bottom Line

These are some good ideas, and a visit to StopBadware will certainly be an education in how to deal with malware, but there is one thing you can do that is really more important than any technological fix. You have to think before you click a link. If something looks strange, or its a stroke of good fortune that feels a little too good, then you have to question it. You are the greatest security tool you can have. After all, how did I know after looking at that email for less than a second that it was a fraud?

I don't have a CapitalOne account. That's right! I have something else in my wallet.