Phishing for Your Information


Keep You and Your Tweens Safe When Shopping Online

By Linda McCarthy,  Internet Security Family Advocate 

This year, Americans spent $1 billion online on Cyber Monday—the Monday immediately following Thanksgiving’s Black Friday. More online records are expected throughout the season. A full 25% of holiday shopping is expected to be done online. Online retailers are chomping at the bit. Sadly, so are online scam artists.

Phishers in particular are lining up new bait. If you haven’t noticed at least one phishing scam in your in-box this week, you’re probably not paying attention.

 What is phishing?

Phishing (pronounced “fishing”) is an attempt to trick you into revealing personal information or financial data. The phishers pretend to represent a company you know and trust.  Because PayPal is used by so many people for secure online transactions, a lot of phishers pretend to be PayPal. They could also pretend to be your bank, a favorite department store, or the company that makes your computer or security software. 

How the scams work is that the phishers send you an email pretending to be from a company you trust.  That email will contain a URL or “hot link” that looks like it connects you to that trusted company. What it actually connects you to is a fake website that looks very much like the real one. The idea is to trick you into believing that you’re on the real website so that you’ll log in—giving the phishers your user name and password.  If you think you’re at a trusted store, you might even give the phishers your credit card information—thinking that you’re ordering from a company you trust.

Who gets phished?

Nearly everyone. Among those who took the bait were current British energy minister Ed Miliband, the executive of a Midwestern Golf Organization—even an 82-year-old grandmother who used the Internet to sell hand-sewn doll clothes…  Millions more have had close calls.  Last year, FBI Director Robert Mueller admitted that his own wife had banned him from using online banking after a near miss involving a phishing scam.

 What about your tween?

While conventional wisdom would suggest that only adults with decent credit limits are targeted by phishers, experience actually suggests otherwise.  A May 2010 study by Kaspersky Lab found that Facebook—definitely a top site for the under 20 crowd—is now the 4th most common target for phishing attacks.  [If you’re curious, targets one to three were PayPal, eBay, and global megabank HSBC.]  If your tween is on Facebook, he or she may already have been phished and not realized it.

While Facebook attacks are annoying, financial attacks can be devastating. With holiday shopping in full swing, your tweens can get hooked just as easily as you can or more so. While kids may indeed be more computer savvy than their parents, that doesn’t make them savvy about financial scams.  For that reason, you should never let your kids use your credit card online. (You would be surprised at how many adults do just that!) With everyone so busy this time of year, we expect to see phishing attacks on social networking sites, banking scams, PayPal scams, Amazon scams, gift card scams, deals to good to be true, and the especially pathetic fake charity scams.

Teens and tweens are also targeted by phishers pretending to represent scholarships or talent searches.  Few kids wouldn’t like to be an American Idol or America’s Next Top Model. Warn your kids that people don’t get selected for these shows by responding to emails.

Recognizing the bait

So how to do you avoid the phishing scams? First, you need to understand just how real the fakes look.

You guessed it. This screen is NOT from PayPal.  As you can see, the fakes are very convincing. They look so real that up to 20% of the people phished respond to them.  How can you tell this email isn’t from PayPal?  The “Dear Customer” gives it away.  If you have a PayPal account, PayPal actually knows your first and last name.  The phisher does not. That’s why phishing emails invariably start with a generic euphemism like “online shopper” or “customer” filling in the space where your name should be. 

Did you guess that the URL properties also give it away? Not anymore. In the past, displaying URL properties would reveal the fake destination making it easier to see that you weren’t being sent where you thought you were going. Today, phishers typically use a URL shortening service to display a link that looks safe to click on.


Ten Rules to keep you safe online

Before you and your tween start planning your Cyber shopping itinerary, tack up these 10 Rules next to your computer to protect you from phishers:

1) Delete scams without reading.  When you see a phishing scam email, DELETE it ASAP. Ideally, you’ll want to delete these emails without even opening them.

2) Don’t click on links inside emails.  Take the extra 30 seconds to type in the address of the website you want to visit.  If you type in, you can be sure that you’re actually ON   Never enter your user name and password on a site that you didn’t navigate to on your own.

3) Never open email attachments.  The ones that don’t infect your computer with adware may just run a script that redirects your web browser to fake screens.

4) Keep your numbers to yourself.  Legitimate banks and ecommerce sites never send out emails requesting your account numbers. Your bank already KNOWS your account number! 

5) Watch out for “super deals”.  If it sounds like it’s too good to be true, it probably is. Consumers are already being warned about iPad scams this holiday.  Be very careful about super bargain sites also. There’s nearly always a catch.

6) Don’t shop online from a public Wi-Fi. Public places are not good locations for financial transactions.

7) Watch out for gift card scams. There are strangely a lot of ways to commit gift card fraud.  To play it safe, purchase gift cards in stores and not on the Internet.

8) Don’t let your kids use your credit card online.  Online scammers can fool even pretty savvy adults. Allowing teens and tweens to shop online may be asking for trouble. By all means let your kids browse online, but don’t just hand over your credit card.  Step them through the actual purchase as YOU make it, pointing out how you know that the site is safe to buy from.  Consider your online shopping trip a teachable moment.

9) Check your credit card statements.  Holiday phishers count on catching you busy and off guard.  You’re probably using your credit card more than usual at this time of year, so it’s worth checking your statement carefully for any charges you weren’t expecting.

10) Keep your software up-to-date.
If the browser and security software that came with your computer last Christmas have not been updated — now’s the time to update it BEFORE you start shopping online.  New scams emerge daily during the holiday shopping season, so make sure that your security software is able to keep up.

Follow these 10 Rules and you’ll find yourself fully armed, informed and protected from phishers. Happy shopping!


About the Author

Linda McCarthy is an accomplished author and computer security expert with 20+ years experience in security auditing, consulting, and training. The former Senior Director of Internet Safety at Symantec, McCarthy’s corporate experience has included positions as VP of Professional Services at Recourse Technologies, and Manager of Security Research and Development at Sun Microsystems. She also founded the front-line security firm, Network Defense. McCarthy received the prestigious Women of Influence award for computer security from CSO Magazine and Alta Associates, an award honoring outstanding achievement in security, privacy and risk management. She has also written extensively on security topics. McCarthy’s published works include IT Security: Risking the Corporation and Intranet Security: Stories from the Trenches.

Seeing the shift in attacks moving from corporate networks to home networks around 2004, McCarthy developed an internet education outreach program for teens at Symantec, working under the Office of the CTO. In 2006, she then published Own Your Space: Keep Yourself and Your Stuff Safe Online, a book specifically written for teens and their families.

Realizing that every family needs access to computer security training, McCarthy published the expanded and fully updated 2010 edition of Own Your Space under Creative Commons Licensing. With the help of corporate sponsors, Own Your Space is now available worldwide for free download from various corporate, non-profit, and social networking sites, including Facebook,  MySpace and Microsoft.

While continuing to update and expand the Own Your Space project, McCarthy appears frequently as a guest blogger on various sites and continues to work with companies around the globe to help educate families about security.