Protect Yourself From a 'Phishing' Expedition

By now, most computer users know their bank would never ask for account information in an email and that an urgent plea for a $5,000 wire transfer isn't really from a Nigerian prince.

But cyber-criminals are getting sneakier and too many people still don't know an online scam when they see one, says Jason Hong, an assistant professor at Carnegie Mellon University who researches how people interact with computers. "It is a little scary to see how creative the bad guys can be," he says.

Hong's specialty is security and he's an expert on phishing attacks, some of the most predominant online scams today. Instead of exploiting weaknesses in computer software, criminals use phishing attacks to prey on weaknesses in people - especially their fears or greed - to get them to share a Social Security number or the password to a 401(k) account.

The day I talked with Hong he'd just stepped off the plane from Brazil where attended the biannual meeting of the Anti-Phishing Working Group, an industry association that tracks phishing attacks worldwide and runs internet fraud prevention campaigns.

When he's not teaching, Hong is chief technology officer at Wombat Security Technologies, a company that's creates anti-phishing training software and other programs to combat fraud online. He detailed some of the latest scams and what you can do to protect yourself.

SA: What is phishing?

Hong: Phishing attacks trick people into sharing sensitive information. The most common is a "Please update your account" email. If you click, it takes you to a fake site that looks like the real one. If you put in your password and name you've given them to the criminal and they can use them to steal your money, national security secrets, a whole host of things.

SA: How have attacks evolved from the original Nigerian prince scams?

Hong: Appeals to fear or greed are the most common types of attacks right now. They pressure you, saying 'You have 24 hours to respond or your account will get shut down.' I almost fell for one, a survey that looked like it was from a bank that offered $10 for filling it out, but at the end it asked for my account information. They're also becoming more sophisticated. In Brazil I heard about an online dating service where an attractive woman sends you photos and after some time asks for funds so she can visit. Another really creative one was a fake job posting for going to work on an oil rig. They asked people to come to Germany for training and told them to put some dollars down for training. Any time anyone is asking for money it's a potential scam.

SA: Where are attacks taking place?

Hong: Email is still the most common vector for these attacks because almost everyone has an email account. But we've also seen them on social networking sites, in voice over IP services like Skype, SMS and instant messaging. On IM it might be as simple as, "Hey, check out this site," and you click on a fake link. Or it could take you to a site that will install malware on your computer.

SA: If you fall for one of these, what's the worst thing that could happen?

Hong: You could use a lot of money from a bank account or 401(k). There have been cases where people's retirement funds have been wiped out. The companies that run these funds try to get your money back, but sometimes they don't get all of it. In an identity theft, if they create a credit card using your name it could be a real pain to clean up your credit records. If it's a work setting, you might accidentally release corporate secrets or sensitive intellectual property such as software code or diagrams.

SA: Who's behind phishing attacks?

Hong: That's a good question and was the source of debate at the conference I went to in Brazil. In the United States, we're targeted by lots of different groups. Most of them are foreign nationals, Eastern Europe organized crime, people doing corporate espionage in foreign countries and foreign governments.

SA: How have the authorities done at catching the bad guys?

Hong: The good guys are getting better organized in terms of data sharing, law enforcement and international cooperation. But it depends on the country. Outside the United States, unless local Internet service providers are collecting data, it's hard to find out who's launched an attack. If the problem is inside the United States, it's relatively easy to try to catch them. One challenge here is how much damage has been done. If the dollar amount is below a certain threshold, if they only stole one or two people's account information, it's hard to justify putting the resources toward finding out who did it, versus if they took information from 500.

SA: Apart from not going online, which isn't going to happen, how can people protect themselves?

Hong: The most important thing is to get educated about the risks. There are websites such as the National Cyber Security Alliance's Stay Safe Online that teach people about this. The Federal Trade Commission has a site called On Guard Online. E-commerce and bank websites have dedicated pages where they describe what the risks are, give examples of what phishing emails look like and tell you want to do and not to do. Make sure you have anti-virus software that's up to date. That helps a little but not significantly because these attacks go after people not computers. Education is the main thing.