Phishing -- another threat of the Internet

Article

Phishing -- another threat of the Internet

You may have been a victim of phishing if you ever responded to an email from someone claiming to be a legitimate financial institution. The scam goes as follows: you receive an email from what appears to be your bank. An alleged representative of your bank has included an invitation to verify your personal information. The representative may claim to be correcting a financial transaction or something similar. "In order to serve you better," they claim, "you must log on to your account and verify the information in your account." For security purposes, they ask that you must supply additional information to make sure this is really you. Besides, you wouldn't want just anyone gaining access to your account by simply clicking on a link, do you? So this request seems perfectly reasonable. Therefore, you answer all the security questions, providing your Social Security Number, Bank account number, credit card number, expiration date, etc. You then click on the Submit button. After a few moments, another screen appears with a message stating everything is OK, the information is correct, and thank you. This, of course, makes you feel all fuzzy inside and you go on your way. Unfortunately, you have just been phished. Here's what really happened. First, you clicked on a link that was included in an email from support@yourbank.com. Then, the link opened a browser window at http://yourbank.verifycustomer.com. This looks legitimate doesn't it? Let's substitute "yourbank" with a real institution so you can see what happened. You received an email from support@wellsfargo.com. The link took you to http://wellsfargo.verifycustomer.com. The screen you saw was branded with all the right logos so it did not look suspicious at all. How did you fall into the trap? I will explain. support@wellsfargo.com is what you see as the reply address, but the sender's email address is actually souport_bk344@somewhereelse.com.uk (this address is just an example). It is easy to make someone believe you are getting an email from someone else. If you have ever set up your own email account with outlook express or similar email client, the "wizard" asks what you would like your recipients to see when you send an email. It provides an example like "John Smith"... so naturally you put your real name. On the other hand if you were devious or tried to hide your real personality you could and would put anything you want in that box, such as "Wellsfargo Customer Support." When you send email from this account, and your friend who receives it, it will appear as if it is from: "Wellsfargo Customer Support" -- to: yourfriend@yahoo.com. However, if you inspect the email headers you will see the true identity of the email sender, but usually no one really bothers to do that. So, your unsuspecting friend will think this is an email truly coming from "Wellsfargo Customer Support." The second part of the trap is the phony website address. You probably already noticed that the address ends in verifycustomer.com. Yep. That is the real destination of the web link. What throws us off is the http://wellsfargo before the .verifycustomer.com. I am going to take a little time to explain what all those words mean so bear with me. The "http" is just a hint to your Internet browser that the content of this page is a specific format. "http" = hyper text transfer protocol. You don't need to know this as the view. Your Internet browser takes care of the details. "://" tells the browser where to get the information from. In this case, the information is from wellsfargo.verifycustomer.com. ".com" is simple yet complicated to explain. ".com" is associated with commercial websites, ".org" with organizations, ".net" with networks, and so forth, but not necessarily. Anyone can purchase a ".com" or any other domain. This is all said to note that it is not very important -- except that it gives us a clue as to where it is geographically located. If the address ends in ".com", the server is most likely located in the US. Back to the rest of the web site name. verifycustomer.com is the real name of the website domain. The "wellsfargo" before that is just a decoy. "wellsfargo", in terms of convention, can be an actual computer with the name "wellsfargo" or simply part of an alias for "verifycustomer.com." If you do not want to deceived based on the name of the website, then always make sure that the name ends in "wellsfargo.com" (or the name of your financial institution, etc.) and not "wellsfargo.somethingelse.com.". You can best protect yourself by following the following guidelines: 1) Never supply any personal information to anyone in an email or web link, no matter how legitimate it sounds or looks. Unless, you instigated the request. Remember -- Financial institutions will NEVER ask you to verify anything via email, or phone -- unless you initiated the conversation with your bank. 2) If it sounds fishy, it probably is.... to good to be true? Yes. Verify the legitimacy of that email before acting on it. Report the email to your institution by sending them an email yourself...Make sure this is a new email that you initiated and hand typed the email address "reportfraud@wellsfargo.com" for example. DO NOT simply reply to the email or click on a link that suggests reporting fraud. The reply or link may take you elsewhere. That is why it is very important that YOU[/b] TYPE your financial institution's address yourself. I hope this helps you email and surf safer. If you do not understand any part of this article, or would like additional information, please feel free to Ask Juan.