The Expanding Taxonomy of Unwanted Email: Phishing

Joe St Sauver, Ph.D.
Director, User Services and Network Applications
joe@uoregon.edu

If we were to talk about a taxonomy of unwanted email, there are some forms that are unfortunately all too familiar:

• viruses, worms, trojan horses and other email-borne infectious malware
• pillz spam, porn spam, mortgage spam, and other spam for a variety of dubious or illegal products
• 4-1-9 advance fee fraud scams, online lottery scams, and other con games conducted by email
• pump-and-dump stock fraud, whereby penny stocks are hyped to unsupportable levels, only to be quickly sold by those who'd hyped them

In addition to these, another form of unwanted email has recently become common: phishing (pronounced "fishing") email messages.

Phishing email messages attempt to con you into believing that your bank or brokerage (or your credit card company, or an online merchant, or perhaps eBay/PayPal) needs you to urgently "confirm" the details of your account with them. If you fall for that ruse and dutifully "confirm" your account number and provide your password or pin, miscreants will use that information to clean out your account or to order merchandise in your name.

In the old days, ruses of this sort were easily spotted: the solicitations were crudely executed and often contained spelling or grammar errors that might make people wary. These days, however, the quality of phishing emails has become quite professional, making them virtually indistinguishable from legitimate messages.

We therefore urge you to:

• Never, under any circumstances, click on any links you may receive in an email solicitation
• Never, ever, provide sensitive information in response to any email you may receive
• If in doubt, use the phone to call your bank, credit card company, or other business, using the number that's on your bank statement or the back of your credit card (don't trust a phone number that may be provided in what may turn out to be a phishing email message)

When you initiate a visit to a website to perform a financial transaction, whether ordering merchandise or paying bills online:

• Don't use a computer in a cyber cafe or other public space; there's no way you can tell what sort of snooping software or spyware may be on the system from an earlier user. Use your own computer instead, and be sure your antivirus software and antispyware software are up-to-date and have scanned your system recently.
• Be sure you're running the latest version of a secure browser, such as (at this time) Firefox 1.0.3. Some other browsers, including earlier versions of Firefox, may have known security vulnerabilities which can be triggered by nothing more than visiting a "booby-trapped" web page.
• Be careful to ensure that you correctly enter the exact URL of the site you're trying to visit; online crooks have been known to register look-alike URLs that take advantage of common typographical errors or omitted punctuation in an effort to snag customers who are trying to visit legitimate online commerce sites.
• Pay attention to any certificate-related warnings you may receive. Certificate-related warnings may be a sign that you're not dealing with the site you think you are!
• Beware of autocompletion of online forms and password fields: some browsers will try to "help" by automatically saving your account information (potentially including your password) in the browser's settings; this can be a disaster, particularly on shared PCs in labs or other public areas.
• When you're done, be sure you completely log out from the site you were using, and be sure to also completely quit the browser you were using. Don't simply close the browser window you were using (someone may be able to pop up a new browser window and do additional transactions as "you"). Technically inclined users will also want to review and delete any cookies or temporary files left cached on the system.
• You may want to periodically request a free credit report to ensure that no one has obtained credit cards or other financial services in your name without your knowledge. For more information on obtaining free credit reports, see http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm

If you do ever mistakenly provide private account information to a fraudulent site, or if you notice unauthorized charges or withdrawals on a monthly account statement, you should immediately contact the security department of that financial institution or merchant.

In many cases your financial institution can take steps to limit your exposure, or they may even be willing to fully or partially reimburse you for your losses, but they need to hear from you as soon as you notice anything amiss.

If you're a UO faculty member, staff person, or student and you receive phishing email messages on your Darkwing or Gladstone account, you should report them as you would any other Darkwing or Gladstone spam: within a day or so of the time the message was sent, forward a complete copy of it with full headers (http://micro.uoregon.edu/fullheaders/) to spam@uoregon.edullynch@darkwing.uoregon.edu

Learn More About Phishing

1. Anti-Phishing Working Group: http://www.antiphishing.org/
2. How Not to Get Hooked by a 'Phishing' Scam: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
3. Mail Frontier Phishing IQ Test II: http://survey.mailfrontier.com/survey/quiztest.html
4. U.S. Senate "Anti-phishing Act of 2005," S.472: http://thomas.loc.gov/