« Climate Change: A solution framework for the climate challenge | Home | How to Speak Hip »
Tech Notes: Gone Phishing
Reporting from the front lines of IT, Sam Kome, Manager of Library Information Technology:
Gone PhishingThe other morning I read a blog entry about a large passenger train company (rhymes with Spamtrak) that was innocently sending out email messages with the intention of making their customer accounts more secure. They were concerned, they said, with customers confusing bogus, scam emails with legitimate company correspondence. So they wanted their customers to verify their account information (Alert!) by sending in some unique pieces of information (Yellow Alert!) by clicking on the included link (Orange Alert!). A brief examination of the link showed that it did not go back to the company’s site at all, but to a third-party (RED ALERT!). The account managers may have had the best intentions, but this was a terrible execution. Let's break it down with a simple mental exercise.
We’ll replace the word, “email” with the word, “postcard,” and we’ll call the company, “Bland’s End” (a famous clothing catalog).
It has come to the attention of Bland’s End executives that some of their customers have received letters with Bland’s End letterhead, directing them to write all their billing information, including credit card information onto a postcard and send it to a known flim-flammer’s address. One in ten customer’s complied.
What to do? Bland’s End customers suddenly are losing money and blaming Bland’s End. The executives cook up a plan to give each customer a secret code by which they may recognize official Bland’s End correspondence. Each customer needs to be verified so they can always be matched to the right code and so no secret codes go to the scam artist, who might then figure out how to make all the real codes.
The mass mailing will be a big job, and expensive, so these execs decide to hire an expert, RealID Inc.
To save some cash (and boost their profit) RealID Inc sends a postage-paid post card to all the Bland’s End customers with instructions to fill in the name, address, and some financial details and return it to RealID for processing.Now catalog retail is very mature in the USA and this scenario would not play out. But this scenario is common in online retail, which is really no different than buying by catalog.
If I were to send a check to Bland's End, I would put it in a sealed envelope and hand address it, carefully writing in the payees name. I would not staple a blank check or credit card number to a postcard.
Postcards are more secure than email messages.
A postcard is obviously an insecure way to transmit secret information. It makes no effort to hide it’s content. An email message is even less secure because in addition to lacking any sort of envelope, there are numerous opportunities for a bad actor (I’m talking about a crook, not Kevin Costner) to intercept and copy it.All unsolicited email is spam
If a can of luncheon meat appeared unbidden in your mailbox, would you open it and eat it? Probably not even if you were hungry.All unsolicited nosey email is a scam
We all get phone calls, usually at dinnertime, from very friendly strangers who want to ask us all about product/company/candidate XYZ, and get some details so they can send more information. This practice is an annoying invasion of privacy, and often fraudulent. The best defense is to refuse the conversation. The same is true for unsolicited emails.How to recognize a phishing message
It’s unsolicited, and it asks you to click on a link in the message, or reply with personal information. Legitimate communication should not ask anyone to click links because of the ease with which bogus links can be disguised.Some legit messages will look like scams.
— michael | March 27, 2008 04:24 PM | The more you know
