You are being attacked. Right now, criminals are trying to steal your identity--maybe they already have.
I am a victim of identity theft. I almost said "I was a victim" as it happened five years ago, but once your identity has been stolen you never get it back.
Many of you who read this are also victims--and, unfortunately, many of you don't even know it. No matter how many billions of dollars that are lost to identify theft each year nationally, when it happens to you, all you care about is your lost time and money (estimated to be hundreds of hours and hundreds of dollars on average). With all the phone calls, forms, research, and general lack of answers, it can be an absolute nightmare trying to clean things up.
Your identity (some combination of name, social security number, credit card number, username, password, and/or address) is likely worth a lot to you, but identity theft has become so rampant that it is hardly worth a single dollar on the black market. It is just too easy for thieves to steal it. And once they have it, it is all too easy to take your money or conduct illegal activities in your name.
Most of us are not in a position to stop theft at the "bulk level"--the stealing databases or lists from banks or other organizations--but we can make it harder for thieves on the individual level. Today, I'll talk about one type of attack, phishing, and how to protect against it.
You've likely received messages that have made you skeptical: something written to make you scared or worried and give out your money or personal information. Unless you have never used email, you know what I'm talking about.
It's great that you were skeptical. The Internet is a dangerous place (wonderful, yes, but dangerous) and we need to be vigilant. You may have asked your tech about what to do, or you deleted the message without a second thought. But what worries me more is the scam you may not have recognized. Identifying a message or website as a phishing scam is getting increasingly difficult.
Q. What is "phishing"?
According to the U's Safe Computing website:
Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, and other sensitive information.
Check out the Wikipedia page for more details and background.
Q. How do I protect myself?
* Practice constant vigilance. Be skeptical. If it smells like phish, it likely is.
* Never send your personal information through email, especially your password, your social security number, credit card number, or bank account numbers.
* Confirm the sender's identify through other means.
* Don't click that button! Never click on a link in an message related to one of your bank, shopping, or University accounts. If you have an account with the organization, go to the site as you normally would instead.
Read more on the Anti-Phishing Working Group (APWG) website.
Q. How do I recognize a phishing scheme?
By definition, a phishing scheme has to seem legitimate to be successful. The poorly designed messages or websites are fairly easy to recognize, once you know what to look for. But schemers are getting better, and their messages and websites no longer have the telltale spelling and grammar errors. Telling the difference between real and fake is getting harder.
The general protection guidelines above are always useful, but it is worth your time (and money) to research the topic even more. In addition to the APWG website, I found the Phishing and Spam IQ Quiz to be very informative. It provides real-world examples of phishing messages and how to identify them. I passed the quiz but found it difficult. Make sure you read the explanations for each question at the end. Note: I am NOT endorsing the products sold on the website, just encouraging you to take the quiz.
Q. What should I do if I receive a phishing message?
Report it. Organizations that fight phishing schemes need this information to help others. Even a common or obvious message is useful to identify trends and to target the criminals who send the messages. Report phishing to the U.S. Computer Emergency Readiness Team at firstname.lastname@example.org.
If a message specifically targets the University, forward it to email@example.com.
Q. What if I "fell for it" and took the bait?
The good news is that you know what information you exposed. Act quickly to block access to the accounts by changing passwords and alerting the banks or other organizations about the breach.
The above mentioned APWG website has very specific instructions for mitigating the effects of exposing your personal information. Begin there and get additional help.
Q. What if I am the bait?
Like I said above, schemers need to look legitimate to be successful. One of the better techniques they utilize is to use the name of someone you know as the requester of the information or money. This is called "spear phishing" and is often very effective. If they used your name and information to target your friends, peers, or family, it is possible that one of your accounts has been compromised. Change your passwords immediately, warn those who may have received the message that it was not legitimate, and get technical help to further protect yourself.
Identity theft can happen to the best of us. Even Alastor "Mad-Eye" Moody was a victim. Constant vigilance!