Software

Keep users from biting on that phishing expedition

Phishing: (fish´ing) (n.) The act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user's information

(Definition is cut and pasted from Webopedia.)

As IT professionals who've been in the business for many years, it's easy to spot a cyber scam when we see it. However, even the most savvy among us could be tricked if we let our guard down, even for a fleeting second. I'll admit that I've been fooled when I should have known better, but one thing that was different about a certain routine caused me to overlook what otherwise would have been a glaring red flag.

That was the time when I had quite a number of items listed for sale on eBay, and I was getting questions on these items, probably at the rate of one or two every couple of days. My normal routine, in this instance, would have me go home at the end of the day, download my email into my Outlook account, and answer those emails as necessary. This particular instance, however, I was out of town for a couple of days, and I checked my email from another person's computer by way of logging into my email account through my email provider's Web interface.

Sure enough, there was an email from a potential buyer asking a question about an eBay item. I clicked on the Reply Now button, which would allow me to answer the question through the proper eBay channels (instead of simply replying to the email), and I was directed to a page asking me to log into my eBay account. This, of course, required me to provide my eBay user name and password. If I did this from my own computer, however, I probably would have been linked directly to the eBay page that would allow me to answer that question, bypassing the necessity to log into my account. And even if I had been logged off of my eBay account, that page would have remembered my user name, asking only for my password. But I wasn't at home, I was using both a different computer and a different interface, so it made perfect sense that I was being asked for both my user name and password.

What should I have noticed otherwise, you might wonder? What red flag (or red flags) did I miss? Well, I've answered so many eBay questions over the years that I know how the email is structured and what information should be there. In this case, the title of the email should have been, You've received a question about your eBay item, Widget – New in the Original Box. But instead it was titled, You've received a question about your eBay item number 123456789. The same thing would have also appeared in the body of the email. What should have also drawn my suspicion was the general nature of the question, asking for a phone conversation to discuss the item for sale.

But there I did it, I bit – hook, line, and sinker. I had just become a catch for people on a phishing expedition, and I freely provided my eBay user name and password to them. Fortunately for me, I immediately recognized that I had been duped. Instead of going to the page that would have allowed me to answer the question, I only received the same log in page again. At that same instance, it also occurred to me that the title and body of the email was wrong, and that's when I started to process that sick feeling that I had just been had!

Suffice it to say, I had my eBay password changed in about 30 seconds, and I gave myself the severe verbal lashing that I well deserved. But I was out of my normal element, and I didn't notice that slight difference. I was also in a hurry to get off this person's computer because he was starting to show signs of needing a fix for his daily Internet Poker addiction. I mean, he was shaking profusely and was talking nonsense! (Just kidding about the poker thing, but not about being in a hurry.) During that fleeting second, I had let my guard down.

I often share such stories with my users as a tool to help educate them about various email and Internet scams. Very few such scams get through on their company email account, but I still like to mention it from time to time so they don't get taken at home. I don't want to see them falling for these scams, even on their personal time, so it's well worth the few minutes it might take to mention in a meeting or in a company-wide email. In fact, it's on my list of things to do at least once a year. As we're approaching a new year, it's time I move it to the top of the list.

Editor's Picks

Free Newsletters, In your Inbox