Phishing Scams – How To Verify A Site Certificate

Some malicious individuals use phishing scams to set up convincing spoofs of legitimate Web sites. They then try to trick you into visiting these Web sites and disclosing personal information, such your credit card number.

Fortunately, there are several steps you can take to help protect yourself from these and other types of attacks.

What is a spoofing attack?

Spoofing attacks are commonly used in conjunction with phishing scams. The spoofed site is usually designed to look like the legitimate site, sometimes using components from the legitimate site. The best way to verify whether you are at a spoofed site is to verify the certificate.

Do not rely on the text in the address bar as an indication that you are at the site you think you are. There are several ways to get the address bar in a browser to display something other than the site you are on.

How to verify a site certificate

Always verify the security certificate issued to a site before submitting any personal information. Before you submit any personal information, ensure that you are indeed on the website you intend to be on.

In Internet Explorer, you can do this by checking the yellow lock icon on the status bar.

This symbol signifies that the website uses encryption to help protect any sensitive personal information—credit card number, Social Security number, payment details—that you enter.

Secure site lock icon. If the lock is closed, then the site uses encryption. Double-click the lock icon to display the security certificate for the site. This certificate is proof of the identity for the site.

When you check the certificate, the name following Issued to should match the site you think you are on. If the name differs, you may be on a spoofed site.

If you are not sure whether a certificate is legitimate, do not enter any personal information. Play it safe and leave the Web site.

Legitimate certificate. When new subscribers sign up for MSN services, they can match the Issued to domain name (msn.com) to the Web site domain name (also msn.com).

Also, be cautious about clicking links in e-mail messages or in online ads from retailers you don’t recognize or trust. If you have any doubt about a link, do not click it.

Instead, type the Web site address into the address bar of your Web browser, or try to confirm that the link is legitimate. Remember, if an offer sounds too good to be true, it probably is.

Get the Phishing Filter

Phishing Filter is designed to warn or block you from potentially harmful Web sites. It’s available in Windows Internet Explorer 7 for Windows XP Service Pack 2 (SP2), and Windows Vista. It is also available in the new Windows Live Toolbar for users of Internet Explorer 6 and above.

Top 12 Windows Spam Filters

1. POPFile – Spam Filter

POPFile is a powerful and flexible email classification POP and NNTP proxy that you can use to filter spam efficiently and categorize good mail automatically. Unfortunately, POPFile can grow a bit heavy on memory and cpu load if you have trained on lots of mail.

2. Death2Spam – Spam Filter

Death2Spam is an extremely accurate, safe and easy to use spam (and virus) filtering service that seamlessly and silently eliminates junk mail before it even reaches your email program.

3. eXpurgate – Spam Filter

eXpurgate is an effortless but highly effective spam (and virus) filtering service. Its only real shortcoming is that eXpurgate relies on forwarding and requires two different email accounts.

4. SpamPal – Spam Filter

SpamPal makes it easy to use spam blacklists with any email account. Bayesian and scoring filters add further spam protection.

5. MailWasher Pro – Spam Filter

MailWasher Pro is a highly competent, usable, secure and time-saving spam filtering tool. Combining multiple approaches, MailWasher Pro achieves a solid spam detection rate and protects you from viruses to some extent, too.

6. Spamihilator – Spam Filter

Spamihilator is a pretty, easy to use anti-spam tool that works with any email client and, thanks to Bayesian filters, has a good detection rate.

7. K9 – Spam Filter

K9 is a wonderfully precise, easy to use and fast learning Bayesian spam filtering tool. It’s a pity this gem only works with POP accounts and lacks remote administration.

8. Cactus Spam Filter – Spam Filter

Cactus Spam Filter is a really easy to use and pretty precise spam filter. It’s a pity it only works with POP accounts and does not leverage its power for further pre-sorting the good mail.

9. Spam Bully – Spam Filter

Spam Bully is a great and efficient anti-spam tool. If you train it well, Spam Bully can rid your Inbox of unwanted emails almost completely.

10. Spamato – Spam Filter

Spamato filters POP and IMAP accounts for spam with the potential for high precision and plug-ins that make it easy to use in Outlook and Mozilla Thunderbird. Unfortunately, Spamato can be a bit overwhelming with its multitude of options and little help.

11. Spam Interceptor – Spam Filter

Spam Interceptor is an elegant, easy to use and flexible, but most of all effective spam filtering solution. Its combination of multiple strategies works great — unfortunately for POP accounts only.

12. SpamExperts Desktop – Spam Filter

SpamExperts Desktop identifies and eliminates spam precisely and, thanks to its plugging right into the email transport, works without configuration with any email program and just about any email account.

It’s a pity SpamExperts Desktop is a tad slow to process mail (though that can be countered by having it download mail periodically), and the process that lets you correct the filter’s errors could be improved.

Identity Theft Preventive and Reactive Steps

 

Preventive Steps:

• When creating passwords and PINs (personal identification numbers), do not use the last four digits of your Social Security number, mother’s maiden name, your birth date, middle name, pet’s name, consecutive numbers or anything else that could easily be discovered by thieves. It’s best to create passwords that combine letters and numbers.
• Here’s a tip to create a password that is strong and easy to remember. Think of a favorite line of poetry, like “Mary had a little lamb.” Use the first or last letters to create a password. Use numbers to make it stronger. For example, MHALL, or better yet MHA2L!. The longer the string, the harder it is to crack.
• Never respond to “phishing” email messages. These appear to be from your bank, eBay, or PayPal. They instruct you to visit their web site, which looks just like the real thing. There, you are told to confirm your account information, provide your SSN, date of birth and other personal information. Legitimate financial companies never email their customers with such requests. These messages are the work of fraudsters attempting to obtain personal information in order to commit identity theft. (See example below.)

 

Example:

From: BankofAmerica [mailto:BankofAmerica@online.com]
Sent: Thursday, September 06, 2007 1:53 PM
Subject: Security update

We recently have determined that different computers have logged onto your Online Banking account, and multiple password failures were present before the logons. We now need you to re-confirm your account information to us. If this is not completed by September 7, 2007, we will be forced to suspend your ccount indefinitely, as it may have been used for fraudulent purposes. We thank you for your cooperation in this manner. To confirm your Online Banking records click on the following link: https://online.bankofamerica.com/IdentityManagement/ Thank you for your patience in this matter. Bank of America Customer Service Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered. © 2007 Bank of America Corporation. All rights reserved.

 

***Note that this appears to be from a legitimate Bank of America email account; however, further investigation shows that the hyperlink advertised hides a different imbedded url address than the text that appears. It misleads victims to a scam website and records the private information that you provide.

· When shopping online, do business with companies that provide transaction security protection, and that have strong privacy and security policies. Always look for a secure url when making an online transaction (HTTPS://).

· Before disposing of your computer, remove data by using a strong “wipe” utility program. Do not rely on the “delete” function to remove files containing sensitive information.

• Be aware that file-sharing and file-swapping programs expose your computer to illegitimate access by hackers and fraudsters. If you use such programs, make sure you comply with the law and know what you are doing. Install and update strong firewall and virus protection.
• Run a credit report on yourself to see if there are any unknown credit inquiries or unauthorized accounts
• Reconcile your check and credit card statements in a timely fashion and challenge any purchases that you did not make
• Never give any important number out like from your drivers license, credit card, bank account, date of birth or social security number to anyone you don’t know over the telephone
• Shred your bank statements and any tax documents when you dispose of them
• Scrutinize your utility and subscription bills to make sure the charges are yours
• Memorize your passwords and personal identification (PIN) numbers. Keep your PIN numbers somewhere that only you know
• Don’t give out your PIN or write them on your credit cards or ATM cards
• Keep a list or photocopy all credit and identification cards you carry with you, including front and back, so that you can quickly call the issuers to inform them about missing or stolen cards
• Don’t give away too much personal information on your family web site. Full names, date of births, and address is too much information to post. By obtaining your “place-of-birth,” the identity thief can possibly get your duplicate birth certificate

If You Become a Victim

• Report the incident to the police immediately. If you know where your identification was stolen, that would be the correct police jurisdiction to report it to. Insist on being given a police report number a get a copy to encloses in correspondence with credit agencies
• Report all stolen cards to the issuers immediately and request that new card numbers. Always respond to written credit card receipt notifications received in the mail
• Notify your bank in the event that your checks are stolen and request that your account be closed

Credit Reporting Agencies:

	Phone	Online
Equifax	(888) 766-0008	www.equifax.com
Experian	(888) EXPERIAN (397-3742)	www.experian.com
TransUnion	(800) 680-7289	www.transunion.com

Federal Trade Commission Identity Theft Clearinghouse

• Phone: (877) IDTHEFT (877-438-4338)
• Web: www.consumer.gov/idtheft
• FTC’s free identity theft guide “Take Charge,” www.consumer.gov/idtheft

Federal Agencies and Technology Industry

• For tips on online safety, visit www.onguardonline.gov

California Office of Privacy Protection

• Phone: (866) 785-9663
• Web: www.privacy.ca.gov
• Guide to California identity theft and privacy laws, www.privacy.ca.gov/laws.htm. See also the state’s official web site on legislative bills and statutes, www.leginfo.ca.gov.

Identity Theft Resource Center

• Phone: (858) 693-7935
• Web: www.idtheftcenter.org

Privacy Rights Clearinghouse

• Phone: (619) 298-3396
• Web: www.privacyrights.org
• Test your identity theft risk factor, www.privacyrights.org/itrc-quiz1.htm

Compilation of Identity Theft Surveys

· Web: www.privacyrights.org/ar/idtheftsurveys.htm

Additional web sites:

• U.S. Dept. of Justice, identity theft info., www.usdoj.gov/criminal/fraud/idtheft.html
• FBI Internet Fraud Complaint Center. Report cases involving online fraud and phishing. www.ic3.gov
• Mari Frank’s Identity Theft Survival Kit. Phone: (800) 725-0807. Web: www.identitytheft.org

Hello world!

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!