Beware! Inside every computer is a cyber-crook just waiting to pounce


Monday, September 11th, 2006

Sun

Online facts of life, Part 1:

1. Financial institutions never use e-mail to notify customers that there are problems with an account.

2. Legitimate businesses never ask for a user name and password unless the customer has initiated the communication.

3. There’s no one in Nigeria willing to share a fortune with you even if you facilitate its transfer out of the country.

These facts may seem obvious, but people who ignore them are swindled every day by an invisible army of increasingly sophisticated e-criminals who use the Internet to steal money and identities, and appear to do so with impunity.

The Nigerian letter scam has been around almost as long as the Internet itself and has now been extended to other countries. The typical ruse is that a relative of a dead or deposed dictator, exiled government official or some other member of privileged society has socked away an unimaginable amount of cash in a rainy day fund and needs to find a bank account in the free world in which to deposit it, for which the holder of that account will be richly rewarded. Your bank account was chosen because your e-mail address was among the millions lifted from a CD the Nigerians bought from an online Viagra dealer. All you have to do is send along your banking information to begin the process of being ripped off.

But online crime has advanced far beyond the crude techniques of the letter scam. Now, you’re likely to receive an e-mail from a supposed bank or broker, complete with logos, graphics and even security warnings, that looks and acts like the genuine article. Except that it’s not.

One of the most convincing fakes of late appears to be an RBC Financial site that instructs recipients to re-submit confidential information because the company is updating its servers to combat phoney e-mails. Who’d expect that an e-mail warning about fraud would itself be a fraud?

One security expert admitted that he was almost taken in when he received an e-mail advising him of a problem with an online bank account he had just opened. But he called the bank and learned it was a hoax.

Fraudulent e-mails often direct recipients to sites that collect personal and financial information for the purpose of identify theft. There’s even a term for this kind of criminal data mining — phishing.

A phishing assault poses the additional risk that the e-mail may contain malicious software, called a trojan, that can install itself on a PC where it lies in wait for an unsuspecting user to log on. Masquerading as a benign sofware application, for instance, it gathers account numbers, ID, passwords and transaction information and transmits it to persons unknown.

Online facts of life, Part II:

E-mail messages from financial institutions that request a reply in kind are likely bogus. Select and copy the message without clicking any hyperlinked text. Go to the official website of the institution from which the e-mail purportedly emanated. Click the “Contact Us” link and paste the entire message in an e-mail message or in the dialogue box provided. The institution will tell you if the message is legitimate.

While awaiting a reply, delete the original message and then delete the delete folder. If the e-mail really came from a honest dealer, it will send another. All suspect e-mail messages should be deleted. Don’t even click on links that invite you to unsubscribe.

Don’t use the same password for every site and change passwords frequently. Use a firewall and anti-virus software, but be warned that some phishing sites seem so authentic they may slip through the spam screen.

Financial institutions are discovering that security is an ongoing challenge; it doesn’t take cyber crooks long to crack the codes. Although companies, governments and other organizations are taking extraordinary measures to protect their sites, there is no guarantee that they haven’t been compromised. In a recent survey, all the participating institutions said their sites had been attacked.

That leaves it up to the individual to guard against the misappropriation of confidential information. Just as the homeowner secures the front door, the driver locks the car and the tourist avoids dodgy areas of town, the computer user must assume personal responsibility for keeping identity theft in check.

It’s a digital jungle out there; take care.

© The Vancouver Sun 2006

 



Comments are closed.