When You Can't Tell The Phishing Emails From The Legit Ones, Just Ignore Them All

from the smart-security dept

Phishing is a common way for criminals to try and steal people's passwords or other personal information, and it depends on phishers crafting emails and fake sites that look enough like the real thing that people will willingly surrender their information. Banks and authorities are obviously aware of phishing, but that doesn't stop them from undermining their online security efforts, as well as their online products, by sending out legit emails that look like phishing attempts. The latest instance sees some British cybercrime police attempting to notify more than 2,000 people in the country that their personal information, including credit card numbers had been stolen. They get an A for effort, but an F for execution, since they're letting people know by sending them an email, and asking them to get in touch -- which plenty of people aren't doing, because it sounds an awful lot like a phishing scam. The rise of phishing has made consumers loathe to trust anyone they don't know from whom they receive emails asking for contact or personal information -- and rightly so. But if banks and authorities are going to tell people that's the right thing to do, they shouldn't be at all surprised when their emails go ignored as well.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Oct 11th, 2006 @ 8:48am

    when it comes to sensitive financial data, any contact that requires a response, should be done over the phone. granted this can be spoofed as well, but not as easily and requires a larger investment on the part of the phisher.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anon, Oct 11th, 2006 @ 9:07am

    My bank in the UK has phoned me not once, but twice, asking for verification of personal details regarding my credit card. Both times I have refused to give the information and I phoned them back on the banks main number shown on the back of the credit card. Both times the requests were ligit, but banks should be reinforcing caution.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Andrew W, Oct 11th, 2006 @ 9:26am

    Absolutely right that a request for personal info should only happen over the phone, specifically only when you yourself initiate the call.

    At the same time, some companies still require too much information over the phone. Sprint for example asks its mobile customers for their phone number (reasonable, as it doubles as your account number) but also for "the password associated with your account". Since most people reuse passwords for different accounts (e-mail, Amazon, banking), an unscrupulous CSR would have an easy time ripping a customer off.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    TriZz, Oct 11th, 2006 @ 9:28am

    That reminds me of Fight Club. When he tells the police to not cut off his balls and they're like "you definitely said that you'd say that!"

    HAHAH!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous of Course, Oct 11th, 2006 @ 10:35am

    Doh!

    When Fidelity lost a laptop with my information on
    the hard drive, they sent a fed-ex letter. Which
    was waiting for me when I arrived at home a few
    weeks afte the inital news report.

    I'm still peeved that they were careless with the
    information but at least they handled it fairly well.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 11th, 2006 @ 12:26pm

    Seems as though big banks & large companies should create their own phish-like websites in an attempt to educate their customers.

    1. E-mail sends you to phish-like Fidelity website (ip address only).
    2. Website asks for some personal info
    3. Website redirects you to Fidelity's "your personal info could have gotten stolen, how to avoid this" web page.

    People would be more likely to read that website instead of some stupid e-newsletter.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      kforce, Oct 11th, 2006 @ 12:54pm

      Re:

      No one should submit private info through email; for example I had the email of kforce@aol.com for a long time and I would constantly get emails from people thinking that I am Kforce.com, the recruiting site. I had one lady email me her social security number and out of common courtesy I replied back to her and told her she should not send her private info through email because it is not secure. She replied back with a nasty email and told me I shouldn't read email that wasn't intended for me and told me that she would report me because SHE sent her social security number to me. She was lucky I didn't go out and opened up credit cards in her name. Moral of the story: don't send anything private through email, do it over the phone - slightly safer, and don't get pissed off when someone tries to help keep your info safe.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 11th, 2006 @ 12:49pm

    when i was in Canada, my bank needed me to comfirm some info, i got a call from them, it was an automated message it said i should call my local branch at or the number provided on my financial statements.

    I guess that is on of the best solutions

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 11th, 2006 @ 1:24pm

    back in the day on aol when i was around 12, i taught myself how to program and wrote phishing programs for passwords and credit cards that phished through im. well, i did end up getting many credit cards and passwords, the scary part of my story is that recently, i went back and looked at the code and took a look at the lines i used asking for their info. not that my grammar is great now, but damn... it read like a 12 year old wrote it. the moral of my story: people are stupid, the web pages used and the syntax used in your messages don't have to be either real looking or correct.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    wolfrune, Oct 11th, 2006 @ 1:29pm

    lol kforce that reminds of the coworker who was flashing everyone , i told her not to get upset but every time she bent over or sat down everyone was seeing everythingand she might want to dress more in line for the office. she complained over me and almost got me fired. next time im bringing a camera.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 11th, 2006 @ 2:40pm

    duh

    whatever

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Yoram, Oct 13th, 2006 @ 4:03am

    there is a way to follow links risk-less: CallingI

    Now there is a way to follow links risk-less,
    CallingID Link Advisor automatically checks the links you receive in your email, web-mail and instant messenger before you follow them and verifies that they are safe.
    After installing it Place your mouse over any link you received and CallingID Link Advisor will provide you with real, accurate data about the site and a strait-forward risk assessment. Works with all popular web browsers, email clients and instant messangers

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jen, Jan 23rd, 2007 @ 4:28am

    Distinguishing between Phishing and Reality

    I predict that a new mental health disorder will be soon be identified as people are faced with determining whether these more professional-looking phishing scams are "real". How do we identify a"real" email from our bank or credit card company? We look for clues that are consistant with our experience of "real" emails - (1) Is this the account I use for that credit card (often the answer is 'no'), (2) Is that the "real" web address (URL), (3) Does the email sound like a corporation wrote it (style and standard U.S. grammar), etc. But what is a person to do when reading what may be either a particularly well-designed phishing email or a legitimate communication from your bank or creditor.

    Having thought about this a while, the best answer seems to be to avoid using email for any financial transactions. Don't give out your email address to your bank, and then you'll know that any email that purports to be from "Chase Bank" is a fake because you don't talk to Chase Bank via email. (You know, there are still a few people in this country who do not have even one email account!)

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    jackson cole, Jan 27th, 2007 @ 9:23am

    i want to confrim my credit card remaining balance

    hollo please help me to comfirm my credit card

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This