When You Can't Tell The Phishing Emails From The Legit Ones, Just Ignore Them All

(Mis)Uses of Technology

from the smart-security dept

Wed, Oct 11th 2006 8:35am — Carlo Longino

Phishing is a common way for criminals to try and steal people's passwords or other personal information, and it depends on phishers crafting emails and fake sites that look enough like the real thing that people will willingly surrender their information. Banks and authorities are obviously aware of phishing, but that doesn't stop them from undermining their online security efforts, as well as their online products, by sending out legit emails that look like phishing attempts. The latest instance sees some British cybercrime police attempting to notify more than 2,000 people in the country that their personal information, including credit card numbers had been stolen. They get an A for effort, but an F for execution, since they're letting people know by sending them an email, and asking them to get in touch -- which plenty of people aren't doing, because it sounds an awful lot like a phishing scam. The rise of phishing has made consumers loathe to trust anyone they don't know from whom they receive emails asking for contact or personal information -- and rightly so. But if banks and authorities are going to tell people that's the right thing to do, they shouldn't be at all surprised when their emails go ignored as well.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 11 Oct 2006 @ 8:48am

when it comes to sensitive financial data, any contact that requires a response, should be done over the phone. granted this can be spoofed as well, but not as easily and requires a larger investment on the part of the phisher.
[ link to this | view in chronology ]
Anon, 11 Oct 2006 @ 9:07am

My bank in the UK has phoned me not once, but twice, asking for verification of personal details regarding my credit card. Both times I have refused to give the information and I phoned them back on the banks main number shown on the back of the credit card. Both times the requests were ligit, but banks should be reinforcing caution.
[ link to this | view in chronology ]
Andrew W, 11 Oct 2006 @ 9:26am

Absolutely right that a request for personal info should only happen over the phone, specifically only when you yourself initiate the call.

At the same time, some companies still require too much information over the phone. Sprint for example asks its mobile customers for their phone number (reasonable, as it doubles as your account number) but also for "the password associated with your account". Since most people reuse passwords for different accounts (e-mail, Amazon, banking), an unscrupulous CSR would have an easy time ripping a customer off.
[ link to this | view in chronology ]
TriZz, 11 Oct 2006 @ 9:28am

That reminds me of Fight Club. When he tells the police to not cut off his balls and they're like "you definitely said that you'd say that!"

HAHAH!
[ link to this | view in chronology ]
Anonymous of Course, 11 Oct 2006 @ 10:35am

Doh!
When Fidelity lost a laptop with my information on
the hard drive, they sent a fed-ex letter. Which
was waiting for me when I arrived at home a few
weeks afte the inital news report.

I'm still peeved that they were careless with the
information but at least they handled it fairly well.
[ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2006 @ 12:26pm

Seems as though big banks & large companies should create their own phish-like websites in an attempt to educate their customers.

1. E-mail sends you to phish-like Fidelity website (ip address only).
2. Website asks for some personal info
3. Website redirects you to Fidelity's "your personal info could have gotten stolen, how to avoid this" web page.

People would be more likely to read that website instead of some stupid e-newsletter.
[ link to this | view in chronology ]
- kforce, 11 Oct 2006 @ 12:54pm
  
  Re:
  No one should submit private info through email; for example I had the email of kforce@aol.com for a long time and I would constantly get emails from people thinking that I am Kforce.com, the recruiting site. I had one lady email me her social security number and out of common courtesy I replied back to her and told her she should not send her private info through email because it is not secure. She replied back with a nasty email and told me I shouldn't read email that wasn't intended for me and told me that she would report me because SHE sent her social security number to me. She was lucky I didn't go out and opened up credit cards in her name. Moral of the story: don't send anything private through email, do it over the phone - slightly safer, and don't get pissed off when someone tries to help keep your info safe.
  [ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2006 @ 12:49pm

when i was in Canada, my bank needed me to comfirm some info, i got a call from them, it was an automated message it said i should call my local branch at or the number provided on my financial statements.

I guess that is on of the best solutions
[ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2006 @ 1:24pm

back in the day on aol when i was around 12, i taught myself how to program and wrote phishing programs for passwords and credit cards that phished through im. well, i did end up getting many credit cards and passwords, the scary part of my story is that recently, i went back and looked at the code and took a look at the lines i used asking for their info. not that my grammar is great now, but damn... it read like a 12 year old wrote it. the moral of my story: people are stupid, the web pages used and the syntax used in your messages don't have to be either real looking or correct.
[ link to this | view in chronology ]
wolfrune, 11 Oct 2006 @ 1:29pm

lol kforce that reminds of the coworker who was flashing everyone , i told her not to get upset but every time she bent over or sat down everyone was seeing everythingand she might want to dress more in line for the office. she complained over me and almost got me fired. next time im bringing a camera.
[ link to this | view in chronology ]
Anonymous Coward, 11 Oct 2006 @ 2:40pm

duh
whatever
[ link to this | view in chronology ]
Yoram, 13 Oct 2006 @ 4:03am

there is a way to follow links risk-less: CallingI
Now there is a way to follow links risk-less,
CallingID Link Advisor automatically checks the links you receive in your email, web-mail and instant messenger before you follow them and verifies that they are safe.
After installing it Place your mouse over any link you received and CallingID Link Advisor will provide you with real, accurate data about the site and a strait-forward risk assessment. Works with all popular web browsers, email clients and instant messangers
[ link to this | view in chronology ]
Jen, 23 Jan 2007 @ 4:28am

Distinguishing between Phishing and Reality
I predict that a new mental health disorder will be soon be identified as people are faced with determining whether these more professional-looking phishing scams are "real". How do we identify a"real" email from our bank or credit card company? We look for clues that are consistant with our experience of "real" emails - (1) Is this the account I use for that credit card (often the answer is 'no'), (2) Is that the "real" web address (URL), (3) Does the email sound like a corporation wrote it (style and standard U.S. grammar), etc. But what is a person to do when reading what may be either a particularly well-designed phishing email or a legitimate communication from your bank or creditor.

Having thought about this a while, the best answer seems to be to avoid using email for any financial transactions. Don't give out your email address to your bank, and then you'll know that any email that purports to be from "Chase Bank" is a fake because you don't talk to Chase Bank via email. (You know, there are still a few people in this country who do not have even one email account!)
[ link to this | view in chronology ]
jackson cole, 27 Jan 2007 @ 9:23am

i want to confrim my credit card remaining balance
hollo please help me to comfirm my credit card
[ link to this | view in chronology ]