Internet crime is a growing problem. The Federal Bureau of Investigation's Internet Fraud Complaint Center (www.ifccfbi.gov) reported processing over 120,000 complaints in 2003, compared to 75,000 in 2002 a 60 percent increase.
The most popular crime, fraudulent Internet auction sales, accounted for 46 percent of the complaints. Thirty-one percent of complaints were for non-shipment of purchased merchandise. Credit card fraud ranked third, at 12 percent.
More sophisticated criminals have begun "phishing" (pronounced "fishing") for victims. Pfishing uses spam, often propagated by an e-mail virus or worm, to defraud unwary recipients. The e-mail appears to be from a legitimate business with instructions to submit sensitive information to a counterfeit Web site.
My first phishing experience was an official looking e-mail allegedly from PayPal. The e-mail stated that my account would be terminated unless I submitted my credit card number to a decoy PayPal Web site. Two things tipped me off that the e-mail was a scam. First, the e-mail was sent to my office e-mail address, not the e-mail address registered with PayPal. Second, I received 10 copies of the e-mail obviously virus-generated spam.
Another phisher sent me two "BankOne" e-mails. The e-mail told me to log in to my account "due to recent fraud attempts" to check if funds were missing. I don't have an account with BankOne, but I wonder how many customers submitted their bank account login name and password to the fraudulent Web site.
Descriptions of 18 other phishing scams, all from October through December 2003, are available on the Phishing Archive Page at anti-phishing.org. Take a few minutes and review each scam. Notice how the Web site address displayed in the browser address field is not the official address for the company (anti-phishing.org/phishing_archive/paypal_11-24-03.htm). Or that the con artist "spoofs" the Web site address using a flaw in Microsoft Internet Explorer (anti-phishing.org/phishing_archive/Earthlink_12-20-03.htm).
How can you protect yourself against phishing attacks? The Federal Trade Commission (www.ftc.gov) recommends:
- If you get an e-mail warning you, with little or no notice, that an account of yours will be shut down unless you reconfirm your billing information, do not reply or click on the link in the e-mail. Instead, contact the company cited in the e-mail using a telephone number or Web site address you know to be genuine.
- Avoid e-mailing personal and financial information. Before submitting financial information through a Web site, look for the "lock" icon on the browser's status bar. It signals that your information is secure during transmission.
- Review credit card and bank account statements as soon as you receive them to determine whether there are any unauthorized charges. If your statement is late by more than a couple of days, call your credit card company or bank to confirm your billing address and account balances.
- Report suspicious activity to the FTC. Send the actual spam to [email protected] If you believe you've been scammed, file your complaint at www.ftc.gov, and then visit the FTC's Identity Theft Web site (www.ftc.gov/idtheft) to learn how to minimize your risk of damage from identity theft.
But you should do even more. Since phishing expeditions use virus-propagated spam, protect your computer from viruses and spyware.
First, update your operating system software with the latest security patches. Microsoft Windows users should install all the critical security patches available at www.windowsupdate.com. Microsoft releases patches on a monthly schedule to correct all known weaknesses exploited by crackers.
While security problems are rare for Apple Macintosh users, they can happen. Macintosh OS X users need to install the security update available at www.info.apple.com.
Once your software is up-to-date, test your firewall using Steve Gibson's ShieldsUp and LeakTest utilities. If your firewall can't pass the tests, install a free copy of ZoneAlarm available at www.zonealarm.com.
Next, install and use antivirus software that scans incoming e-mail for viruses and other vermin. Norton Antivirus (www.norton.com) and McAfee Virusscan (www.mcafee.com) are two popular choices. Make sure to update your virus definitions and scan your computer regularly.
Periodically check your computer for spyware. My favorite spyware scanner is PestPatrol (www.pestpatrol.com). Norton Antivirus and McAfee Virusscan users can upgrade to the latest versions, which now include spyware protection.
Finally, educate yourself on computer security risks and countermeasures. The "Home Network Security" page (www.cert.org/tech_tips/home_networks.html) provides an excellent overview of network security measures suitable for home and small business networks.
Eliminating spam is difficult. According to MessageLabs (www.messagelabs.com), spam accounted for 1 of every 2.5 e-mails in 2003, up from 1 in 11 in 2002. More than two-thirds of all spam was sent through hijacked computers, without the knowledge of the owners. MessageLabs estimates spam will account for 70 percent of all e-mail in 2004.
While you won't eliminate spam, improving security will minimize your chances of becoming a victim of virus-generated e-mail spam.
Hard Drive Hygiene
Computers, like cars, typically have a three to 5-year replacement cycle. Yes, there are people like me driving 10-year-old vehicles. But few of us drive 10-year-old computers. Sooner or later, we are faced with disposing of an old computer a computer used to manage business and financial records, client reports and other sensitive information.
Believe it or not, most people dispose or recycle computers without taking the time to erase sensitive information from the hard drive. Two MIT graduate students found that only 12 of 158 hard drives were properly cleaned (www.computer.org/security/garfinkel.pdf) before disposal. The students were able to recover financial records, credit card numbers and medical records from the drives.
Deleting files or formatting a drive leaves enough information behind to allow data recovery (www.cs.auckland.ac.nz/pgut001/pubs/secure_del.html). Cleaning a drive requires special software that "sanitizes" or "scrubs" a drive by repeatedly overwriting the drive with random data.
East-Tec's DiskSanitizer (www.east-tec.com) and the freeware Autoclave (staff.washington.edu/jdlarios/autoclave/install.html) run from a bootable floppy and sanitize an entire hard drive prior to disposal or recycling. Other programs, like CyberScrub (www.cyberscrub.com) and Norton Utilities' Complete Delete, sanitize individual files.
Sanitizing an entire drive takes time, but it beats placing sensitive information in the hands of strangers.
Contributing Editor Michael Blotzer, MS, CIH, CSP is an occupational hygiene and safety professional, writer and computer enthusiast who brakes for animals on the information superhighway. He can be reached by mail addressed to Occupational Hazards, by fax at (309) 273-5493, or by electronic mail at [email protected]