Watch out for fake email messages!
Here is one I received recently:
[NAME REMOVED] shared a link on your Wall.
My gosh you have to see this baby its the funniest thing every!!!
Funniest Baby On The Net Be Ready To Cry of Laughter
Laugh so hard that you cry with these funniest videos on the net.
This message contained a link that looked just like the Facebook log-in page. I almost fell for it, until I looked at the address bar. It didn't show facebook.com, but some other site. This is called Phishing, beware!
Here is another one I received recently:
"Your Authorize online service has expired. If your intention is to remain a Authorize customer please begin the activation sequence as soon as possible. Failure to update your information will lead to the permanently suspension of your account. Click here to Log-in to your account and update your information."
This is an example of Phishing, the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity. Trust your instincts. If an e-mail message looks suspicious, it probably is.
This was an easy one to ignore since I don't have an authorize.net account. However, I have received similar messages from Facebook, PayPal, and American Express. Although these messages appear to come from legitimate businesses, they are fakes.
First clue: most of these messages contain misspelled words, so look for those first.
A second BIG clue is that no legitimate business is ever going to send you an email message asking you to update your contact information by clicking a link. They will send you all types of other messages, welcome to your new account, links to the service center, links to the FAQ, etc., but most will never request account information via an email message.
The third clue: If you do click the link, pay attention to the web address that shows in the status window. The above link led to authorize.pttwebservices.com, which is not the same as authorize.net. This is a hacker at work. The links that you are urged to click may contain all or part of a real company's name, but the link is actually taking you to a phony Web site.
A short intro to domain names
Anyone can purchase a domain name and web hosting for that name. Hackers can create a subdirectory on their website using a legitimate name. They may create sears.myaccounts.com, or paypal.commercial.com. The dot in the middle of the name indicates that you are accessing a subdirectory on the server. The actual domain name ends in .com, or .net. or .org. A legitimate business may use subdirectories, but their main domain name will be paypal.com, or sears.com. Thus, messages from accounts.sears.com are legitimate, while messages from sears.accountcentral.com are fake. Also look for misspellings in domain names -- micosoft.com is not microsoft.com.
A friend's Yahoo account was recently hacked in just this way. She responded to an email requesting that she click a link to update her account information. When she did this she was presented with a page that looked exactly like Yahoo's log-in page.
Once she logged in on the fake site the hacker had everything he needed. The hacker changed her password, locking her out of her account. The hacker then sent a message to all of the contacts in her address book.
The message stated that Tina, my friend, was traveling abroad when her purse was stolen, and that she desperately needed me to send her money so she could return home. Many of us who received this message thought it was a bit suspicious and replied with questions that only Tina would know the answer to. Others thought the message was a serious request for help.
Social networking sites have recently become a target for phishing. Once in, a hacker has access to all types of personal information about you. Facebook users and Myspace users are prime targets. Always be suspicious of any official looking messages. The best thing to do is to never click a link in an email message. Instead access your online accounts the way you normally do, via a bookmark on your browser. That way you can see for yourself if your account information needs updating.
Third point: These big legitimate corporations are not really concerned with you being able to access your account. Chances are if you have trouble accessing your account you will need to contact them, they will not send you an email to make sure that you (out of the 300,000 accounts that they manage) can access your account. Some messages urge you to act immediately by saying that an account will be closed in 48 hours if you don’t take action. Don't do it. Call your bank or financial institution. They wouldn't send you an email message if it was that urgent.
Also note: You did not win the lottery held in Great Britain. If you didn't enter a lottery there, why do you think you won something? You are not the new trustee for 1 million dollars from a Uganda prince in excile. No one needs your help in getting their funds out of another country. There is no group of 20 German tourists that need to make reservations at your bed and breakfast. Likewise, no one in Brazil wants to purchase 1,000 of the things you have for sale on your website. All they want is your bank account information, and once they have that you are done for.
Recent phishing attempts
Phishers are targeting the customers of banks and online payment services. E-mails, supposedly from the Internal Revenue Service, have been used to glean sensitive data from U.S. taxpayers. While the first such examples were sent indiscriminately in the expectation that some would be received by customers of a given bank or service, recent research has shown that phishers may in principle be able to determine which banks potential victims use, and target bogus e-mails accordingly. Targeted versions of phishing have been termed spear phishing. Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks.
Social networking sites are now a prime target of phishing, since the personal details in such sites can be used in identity theft; in late 2006 a computer worm took over pages on MySpace and altered links to direct surfers to websites designed to steal login details. Experiments show a success rate of over 70% for phishing attacks on social networks.
Attackers who broke into TD Ameritrade's database (containing all 6.3 million customers' social security numbers, account numbers and email addresses as well as their names, addresses, dates of birth, phone numbers and trading activity) also wanted the account usernames and passwords, so they launched a follow-up spear phishing attack.
If you think you're the victim of phishing report the incident. Contact your credit card company if you have given out your credit card information. Reporting that your account may be compromised and closing the account should be your first step. The sooner a credit card issuer knows, the easier it will be for them to help protect you.
Send the entire fraudulent message to the company that's been misrepresented. Remember to contact the organization directly, not through the e-mail message you received. Find out if they have a special e-mail address to report such abuse.
You can also report the phishing scam to the Anti-Phishing Working Group at email@example.com and to the FTC at firstname.lastname@example.org.
Please be suspicious of all email messages, even if it looks like it came from someone you know.
USA Banks Targeted:
Bank of America
First Union Bank
Top Ten Phishiest Countries
2 Sri Lanka
8 Palestine Territory, Occupied
Here are a few phrases to look for if you think an e-mail message is a phishing scam.
"Verify your account." Businesses should not ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. If you receive an e-mail message from Microsoft asking you to update your credit card information, do not respond: this is a phishing scam.
"You have won the lottery." The lottery scam is a common phishing scam known as advanced fee fraud. One of the most common forms of advanced fee fraud is a message that claims that you have won a large sum of money, or that a person will pay you a large sum of money for little or no work on your part. The lottery scam often includes references to big companies, such as Microsoft. There is no Microsoft lottery.
"If you don't respond within 48 hours, your account will be closed." These messages convey a sense of urgency so that you'll respond immediately without thinking. A phishing e-mail message might even claim that your response is required because your account might have been compromised.
Keep your account information up to date and secure!