A Memo On Phishing > Printable View

Notice: I'm using much of the information -- at times, verbatim -- on this page for an article I'm writing. Thanks to everybody who's visited this page, linked to it, or said kind things about it; I hope you found the information useful.

JOE, WHO STILL SAYS GRUMPY BEAR IS AWESOME
14 MARCH 2005

PRINTER-FRIENDLY VERSION:
To print, go to "File" then "Print" on your browser.

This article is available online at
http://www.geocities.com/phishingmemo

Click here to return to normal view.

A Memo On Phishing: What You Need To Know Right Now

About this page

Phishing is one of the fastest-growing online crimes in recent memory. Millions of people are being affected and billions of dollars are getting stolen through phishing. This page seeks to shed some light on the phishing process and what you can do to avoid becoming a victim.

If you find the information on this page helpful, I encourage you to send it to a friend or two who you think would find it helpful as well. (This page is a little sarcastic, so if they're easily offended, you might consider sending the less offensive version of this page.) Alternatively, you can print the page, xerox it, and hand out copies just outside a local Arby's. (I'm kidding -- I'd never encourage somebody to go near an Arby's. But I do believe getting the word out is important.)

Any comments can be directed to [email protected].

What is phishing?

Phishing is a technique used to extract personal information from victims by means of deceptive and fraudulent emails for identity theft. Once phishers have this personal information, they can use it to make purchases in their victim's name, steal money from their victim's bank account, or, in many cases, simply screw with their victim.

Phishing is illegal and is fast becoming a crime epidemic. To date, millions of computer users -- particularly new and inexperienced users -- have fallen victim to phishers. It's estimated that up to one in twenty users who receive a phisher's email will respond to it, unknowingly providing enough sensitive information to incur tremendous financial losses.

Kind of makes you wish for the days when the biggest scams on the Internet were ones that promised "four inches or your money back," huh?

How do I know if an email is from a phisher?

I liken phishers to the producers of American Idol: You just want to say that they're evil douche bags. But then you realize how effective they are, and you go, "Those geniuses! Those evil, douche-bag geniuses!" And it's true -- much like Idol producers, despite how clearly unethical they are, you have to be impressed at how good they are at what they do.

In any case, there are a few signs typical of a phisher's email:

The email specifically states it's not a scam. It's kind of like when a cop stops a guy for speeding, and he immediately sputters out, "I didn't murder anybody! You can't prove anything!"
The email requires immediate action of some sort, especially when it's out of the blue. Many emails would say something like "Account verification needed" or "Update your information," threatening to "terminate the account" if you fail to do so. Skepticism is your friend.
The email asks you to email back sensitive information. There is virtually no legitimate business that will ask a customer to do this; the typical email usually has no protection and is very insecure. Put it this way: If your bank actually uses this as a method of verifying account information, you need to switch banks.
The email contains a link which leads to a form where you're told to input your sensitive information. These forms are often cleverly duplicated pages on a phisher's site; phishers duplicate the general format of a company's page right down to the logos, layout, and fonts to create a sense of legitimacy. The information you provide in the form, however, will be sent to the phishers for them to enjoy (and buy GameCubes with, which they'll also enjoy).
The email contains typos or blatant grammatical mistakes. These companies hire people to write actual customer service emails; it's what they do. A typo isn't a big deal, and a split infinitive isn't something to get too worried about. However, in particular, you should watch out for:
- Two or more typos/misspellings.
- Run-on sentences, like "We need to confirm your information, thank you for your time."
- Weird capitalization, like "You are a Valued customer, and we appreciate Your business."
- Blatantly bad syntax, like "Our records is indicating your information are outdated."
- Incorrect brand spellings, like an eBay representative writing "Ebay" or "e-Bay."
The email is impersonal. In many cases, legitimate organizations will provide some sort of personalized information in the email; for example, your account number or your first name ("Dear Bob"). The goal of phishers' emails is to get this information, so obviously they wouldn't have it. Thus, the email is impersonal ("Dear Valued Customer") with no personalized details.

I think I received a phishing hook. What do I do?

Well, first, stop saying "phishing hook." The various puns derived from "phishing" annoy me. Then, you can do this:

Don't download any included attachments. Despite what the email says, most legitimate organizations don't require their customers to download emailed programs to maintain accounts. Even if Citibank has promised that the attachment is porn, don't download it.
- If you're really desperate for porn, support free media and go out and buy a magazine containing images of attractive naked people of the gender to which you're attracted. First Amendment, baby -- use it or lose it.
Don't follow any links within the email, especially if the provided link is a long and cumbersome link. Instead, open a browser window, and manually type in the web address of the company (e.g., "http://www.ebay.com") and follow links there.
Contact customer support of the company who supposedly sent you the email via email or phone, and ask them to verify whatever claims are being made in the email ("I received an email telling me my account may be canceled if I don't confirm my account number; is this true?").
- Do NOT respond to the original email. Get the email address from the company's website after manually typing in the address.

I'm na�ve. What else do I need to know?

Funny you should ask. It's as if that question is completely contrived and asked merely to provide a place for more advice.

Images can be forged. Just because it has the Citi logo and a copyright (in a circle!) at the bottom of the email doesn't mean it's legitimate. Look, there's a Citi logo! And look, here's a copyright thingie! © It's not that hard.
Return addresses can be forged. It's not much more difficult to create forged email headers; don't be surprised if that unsuspicious, kindly email from [email protected] is really from [email protected]. Or something.

What can I do to safeguard myself against phishers?

Reading this article is a great first step; one for which you should pat yourself on the back. Go on. You deserve it.
Be careful. Reading this thing is great, but you really ought to follow its instructions.
Keep track of your various online accounts, and regularly log into them. The whole "We need to verify your information/Your account has been inactive" thing is the most common phishing tactic out there; if you ensure your accounts are indeed active, it takes some credence away from phishers' emails.
Inspect your bank and credit card statements. If you find something wrong, report it to your bank or credit company immediately.
- If you have been the victim of phishing, visit the Anti-Phishing Working Group's site at http://www.antiphishing.org/consumer_recs2.htm for more in-depth information about what to do and links to other resources.

Your site sucks. Where can I get more information?

First of all: Sticks and stones may break my bones, but words hurt -- on the inside.

And second, the Anti-Phishing Working Group maintains a very comprehensive site on this subject. Check them out at http://www.antiphishing.org.

I've been phished. Should I feel bad about myself?

No, absolutely not. Millions of people have been phished; you aren't alone. Also, it's a particularly clever crime, one that has fooled not only computer neophytes but tech savvy people as well. The important thing is you act quickly to fix whatever damage there might have been and be careful in the future.

Also, it would be nice if you tried to help others avoid the same mistake. I strongly encourage you to forward this site's address to your friends and family. (If you think your friends and family won't be impressed with this site's choice of language, a less snarky and vulgar version of this page is available at http://www.geocities.com/phishingmemo/index.htm. It's all the same information, stripped of the offensive attempts at humor.)

I'm a phisher. You got a problem with that?

Yes, I do. Please stop. And here's why:

One of these days, you're going to phish a small, middle-class family, struggling to make ends meet. And then suddenly, little Bobby isn't able to go to college to become a scientist. So instead, he has to become a stripper. And Bobby is ugly. So when you phish, you're possibly putting an ugly stripper out in public, where he'll terrify many an eager partygoer with his horrifyingly lumpy naked body and gyrating man bosoms. And if you can live with that on your conscience, well, you have a colder heart than I.

Besides, there are lots of evil legal ways to get money. Why not get a job at the RIAA?

So who are more evil? Phishers or Idol producers?

On one hand, phishers have cost people billions in stolen money. This is money that might have been needed for hospital bills, college tuitions, or just putting food on the table. It's truly a heinous crime. On the other hand, it wasn't phishers who produced Clay Aiken.

It's a coin flip, I guess.

Produced by Joe, who says Grumpy Bear is awesome.
Last revision: Monday, January 17, 2005.
Available: http://www.geocities.com/phishingmemo

Hosted by www.Geocities.ws