from the <a href=”http://education.apwg.org”>Anti-Phishing Working Group</a> (APWG)

You’ve heard this phish story before: a friend or associate received an e-mail from a reputable bank or credit card company. Warned that her credit status was in danger, she was directed to a link where she was able to supply her information in order to “verify” her credit status. Two weeks later, her bank account was empty and her credit score had plummeted.

It had all seemed so legitimate, right down to the design of the web page and logo of the faux “company”. And your friend is only one of millions who get taken in by phishing each year.

Now one anti-fraud organization–the Anti-Phishing Working Group (APWG)–aims to teach people where they’ve gone wrong in getting scammed via email…and how to avoid it next time.
The Devil You Don’t Know

Make no mistake: phishers are creative. As much as you may be convinced that you could never be fooled by a phishing scam, “professional” online criminals continuously come up with new ways to leach information from you…and these ways get more subtle and convincing each time.

“We know from experience that an educated consumer is the best defense against fraud,” commented David Shroyer, senior vice president, eCommerce Online Security, Bank of America, in an interview for Georgiafrontpage.com.
Fool Me Once

Working to combat a problem that’s become a billion-dollar industry, AWPG, in conjunction with Carnegie Mellon University, is instituting a program that will redirect potential victims to a page that gives information on phishing. Called the AWPG/Carnegie Mellon Phishing Education Landing Page Program, the initiative addresses phishing fraud at the point the person would potentially become a victim.

How does it work? In the planned scenario, an individual unwittingly clicks on a link that was created in order to leak information from him and criminally access his bank account. As soon as he does, he’s redirected to an anti-phishing educational page. Not only is he given a heads-up that he could have been clicking on a fraudulent site, but he now has information in front of him on how to keep from making the same mistake in the future.
How it All Comes Together

The APWG/Carnegie Mellon’s program will identify sites that have been shut down by investigators for phishing fraud. Normally, an individual who clicked on these defunct links would receive an error or “page not found” message. Thinking it’s some kind of glitch, the potential victim would simply go on his way, forgetting the incident almost as soon as it was over.

Instead, this revolutionary program redirects consumers to an educational page that warns consumers of the dangers of phising and teaches them how not to innocently click on a potential danger the next time. By working at the exact point that the person is in the act of falling into a fraud trap, the information is read immediately. The program will work on both personal computers and laptops using different technologies, officials say.

AWPG is implementing additional ways to combat the problem as well, including a phishing fraud report page. Meanwhile, the organization will continue to further the project, including translations into other languages so that the information can be spread internationally.

The phishing message urges the recipient to update their Skype account by December 18, or it will be deleted. The URL given in the message is http://secureskype.uuuq.com/index.php/.

Accessing the URL shown above, one will be redirected to a different website. The actual phishing website is hosted at http://monybokers.ns8-wistee.fr. Wistee, again! This phishing website is hosted by a disgraced French web hosting company called Wistee. Their name has been mentioned  more than a dozen times this year alone.

Their preliminary analysis indicates that:

The IP address of the server hosting the phishing website is traced to 91.121.124.22 (France).
The redirection website is hosted in Poland.

The phishing message originates from Tampa, Florida, USA.

Shop with companies you know, and find out about their physical locations. If a website doesn’t give its address and contact information, consider taking your business elsewhere.

Know what you’re paying. Whatever is listed on the site can be substantially different from the final price. A reputable vendor will include shipping and handling costs before you make the final decision to purchase an item.

Find out about the site’s privacy policy. How will your information be used and will it be shared with others?

Look for seals of approval that confirm the credibility of the company and its website, for example BBB On-line (the Better Business Bureau), WebTrust (from the Canadian Institute of Chartered Accountants), or the Canadian Marketing Association. Check the vendor with these organizations.

Is it a secure site?

Never give away your credit card number or other confidential information without making sure your connection is secure. Check for a closed lock or unbroken key on your browser. A secure connection will begin with https:// instead of http://. Bill Rosenkrantz, group product manager at Symantec, also suggests clicking on the lock icon to check the digital certificate. The name on there should match the company site you’re visiting.

Check what the vendor’s policy is regarding returns, complaints and warranties.

Keep records of your online transactions, and check your e-mail for information from a vendor regarding your purchase.

Review your credit card and bank account statements every month to check for errors or unauthorized purchases.

We’ve all heard of the dangers. Cyber stalkers, phishers, scammers and hackers have dedicated themselves to all sorts of mischief from stealing passwords and money to crashing our hard drives.

Malicious spyware and adware can track your surfing and Internet activities, allowing companies to compile a huge amount of personal data. This compromise of personal privacy is not only disturbing, but dangerous as it can make you vulnerable for identity theft.

All they need is the name and address to make the cheque out to, and your social insurance number (for tax purposes, of course). Don’t fall for it.

Many identity theft criminals rely on people’s greed to get their foot in the door. If you didn’t buy a lottery ticket, you didn’t win any lottery and if you did by chance win the lottery, you wouldn’t be asked for this personal information over the phone or via email or surface mail.

Nevertheless, we encourage you to take precautions when giving out any confidential information (including your credit card number) over the Internet, over the phone… or anywhere else for that matter!

Always use common sense — it is the best rule of thumb.