Tuesday, March 14, 2006

Good advice

From Charles Stross:

Anyway, in this particular case I didn't get phished — but it's bloody easy if you lose track of the essentials: never disclose secret information — like your banking details or passwords — through a communications channel which you did not initiate for yourself.

Read his whole post.

I nearly got phished last week, in a new way: it was an eBay phishing scheme, and as these are a dime a dozen, I almost always just forward them to spoof@ebay.com and call it a day. (A year or two ago, I used to actually go to the fake site and fill in the fields with bogus info before forwarding to eBay, on the hopes that maybe these turds would spend some time trying to steal a completely made-up identity. Now I don't bother.)

What was different this time was that the message wasn't the typical "Account security breach" or whatever -- the "Someone tried to log in, and we'll suspend your account unless you verify your info HERE". On eBay, when a seller tries to contact a buyer about a pending transaction, the communication is handled through eBay's systems which generate the e-mails according to certain forms. I got one of these, about an item I'd just purchased -- or so I thought. I dutifully clicked through, but the site was blocked (I was using AOL at the time) because of AOL's suspicion of phishing. I was totally baffled by this, as I'd definitely bought the item in question -- until I went back and looked closely at the e-mail. The eBay item number cited in the e-mail subject line wasn't even close to the item number on the item I'd bought. It was only then that I remembered that even in cases like these, eBay's procedures don't require full sign-on. Ugh.

I don't know how sophisticated this particular variation is. I don't know if they just send these kinds of e-mails in bulk to eBay members, assuming that some small percentage of them are going to get to people who actually have pending transactions, or if the scammers really do manage to send them only to people who have made recent purchases, and who thus might be even more susceptible to falling victim to this kind of thing.

In phishing e-mails, I'd add another item to Charlie's item above: Never log in to financial sites with whom you do business by following a link to the site enclosed within a received e-mail. Even if you suspect that maybe something really is goofy with your accounts, open a new browser window and log into your account that way. Never follow links in e-mails purporting to come from financial institutions.

No comments: