I can't think of any industry that sucks up as much creative energy as online scams. Perhaps if evildoers put their creative efforts to good, we might all be living in a golden age of technology. Instead, we inoculate ourselves almost daily against the menace that preys upon us.
As Microsoft fills and covers Outlook's security holes, you'd think the evildoers would slowly melt away. Not on your life! They just work smarter. I'm referring to phishing — those e-mails that lure people into sharing personal and financial information. My gmail account receives a dozen or so of these messages every week.
The problem is, phishing works. The evildoers go to great lengths to convince you that their request (or demand) is legitimate, and a lot of them make it past Outlook's junk filter. You can't really blame Outlook, though. The messages arrive with professional-looking logos and legalese that's convincing or scary. In an effort to cooperate, all you have to do is click the handy-dandy link they've so graciously provided. How kind they are!
Clicking the link takes you to an equally professional site that then asks you for credit card numbers, bank account numbers, your social security number, and so on. Unfortunately, a lot of people fall for the evildoers' schemes. At the very least, a click confirms that your e-mail is valid and working, and the evildoer sells it, over and over again.
The only real solution is to be wary of all links, even when an e-mail message looks official. If you receive a message asking you to visit a Web site, find out who's behind the message by checking the sender's e-mail through WHOIS, before you click anything! Here's how:
- DO NOT CLICK THAT LINK!
- Hover your mouse over the link and copy the domain for the address that Outlook displays. It's impossible to click inside the address box and highlight it. Just copy it down on a piece of paper. The domain is the component that precedes dot com. For instance, the domain for http://www.techrepublic.com/ is techrepublic.
- Point your Web browser to http://www.whois.net.
- Enter the domain from the e-mail's link in the WHOIS Lookup control and click Go.
- WHOIS will display details about the site, including the company or person who registered it.
If your e-mail's supposedly from a bank or charitable institution but is registered to some obscure company, or worse yet, an individual, out of China, India, or the moon, you'll know you've been phished. Congratulate yourself for not taking the bait.
If, after reading the registration information at WHOIS, you're still not certain, you can always call the company the e-mail is supposedly from and ask. Better yet, use a search engine to find their legitimate Web site and forward the e-mail to them.
At the risk of repeating myself, if you believe an e-mail is phishing, follow these simple guidelines to protect yourself:
- Never open an attachment, even if it looks official.
- Never click the provided link.
I hope no one minds this detour from my usual Office tips. Phishing's been around for a while, but it doesn't seem to be going away anytime soon. I think checking WHOIS is a good way to protect yourself when a message smells phishy.
Susan Sales Harkins is an IT consultant, specializing in desktop solutions. Previously, she was editor in chief for The Cobb Group, the world's largest publisher of technical journals.