So what is a phishing scam anyway? Trust me, you NEED to know – and if you use the internet to access e-mail or ANY type of online account, this may be one of the most important blog posts you’ll read today…
Bear with me while I give the definition of phishing and then read the story about how we almost became a victim of a phishing scam.
First, here is how Wikipedia defines phishing:
“In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.”
In other words, you are ready to sign into your e-mail account, but you mistakenly type in the wrong web address (maybe inputting two “n’s” where there was supposed to be only one “n”). Now you are ready to log in. All appears normal except you are not really at your e-mail provider’s website at all.
You are at a FAKE website that only LOOKS like your e-mail site. You put in your user ID and password, but nothing happens, or perhaps you are (unbeknownst to you) re-directed to the REAL site and a screen that says you entered the wrong password. You try again, and you are successfully and happily logged in.
But what you don’t realize is that you have now become the victim of a phishing scam! While you are merrily checking your e-mail, the phishing website owner is preparing to hi-jack your account. After all, everyone knows that if someone has access to your e-mail account, all they have to do is go to the websites you hang out at (They can find that out by looking through your saved e-mails), and even if those other sites use different passwords, all they have to do is click the “Lost Password” button and in most cases the password will be instantaneously sent to…you guessed it…the e-mail account that has been compromised.
Things could get pretty ugly in a hurry. Here is my story…
Yesterday my son was going to his Google Adwords account. He normally does that when he is logged into Gmail and from the Gmail interface, but since he already had Google open, he simply typed in “adwords” in the search box and (as usual) the top listing was adwords.google.com.
In fact, it was both the top “organic” and top paid ad. Well, he clicked on the top paid ad and went on to what he thought was Google’s Adword page and since he wasn’t already logged into his Gmail account, he entered his user ID and password. Nothing happened for a few seconds, but then he was immediately re-directed to a REAL Google page that informed him that he had entered the wrong password.
Since it was a re-direct he was suspicious and hit the Back button on his computer. Here is the URL where he really was:
http://adwords.googlen.com (The site is already down.)
It was a phishing scam site and now they had not only his Google Adwords account info, but also his Google Adsense and Gmail profiles…since they all rely on the same log-in profile. Thankfully, he was able to get to his account first and change his password, but the results could have been disastrous!
We did some further research by going to Google and searching on Adwords again and now TWO ads came up at the top of the page:
- the URL mentioned above and this one…
- ebaypartnernetwvork.com (Notice the misspelled “netwvork”.)
Here is a link to a screenshot we took of the search results:
http://www.imageuploads.net/ims/pic.php?u=32201LsGqu&i=167811
The top two are fraudulent (EVEN THOUGH the top one looks JUST like it is
Google’s).
We notified Google immediately about the phishing scam, but I wonder how many hundreds of people compromised their security during the period of time that these ads were running?
So, if you are feeling lazy and want to type in your URL or do a search for
it (ESPECIALLY when your destination is going to require a log-in profile),
think again…One mis-type or “bad search” result and you are a step away from someone getting your password.
Instead, use a program like RoboForm (www.roboform.com) that automatically goes to the website that YOU have pre-defined and enters your log-in profile without you having to enter a single keystoke online.
ALSO…if you are one to use a public computer, such as one at a hotel business center, library, school, or public kiosk, you had better use RoboForm’s portable USB solution (RoboForm2Go) because who knows if someone hasn’t installed a spying software on that public computer and now your every keystroke is being logged so that a phishing scammer can steal your identity and wreak havoc on your life.
But don’t solely rely on software to protect you. Sometimes phishers employ cleverly worded e-mails, disguised as notifications from companies you already do business with, enticing you to click a (fraudulent) link so that they can capture your log-in profile. Slowing down and using a little common sense can also go a long way towards helping you avoid becoming the next victim of a phishing scam.
