What is phishing?

somebody else? I'm pretty sure it's me this time. Uh, they look like you, but I can't. Yeah. We wanted to talk today about kind of an insidious problem that's on the internet, although it didn't officially you know, start on the internet. It's actually older than the Internet is. But we're talking about phishing scams, and that's fishing with a pH Yeah, that's true. Um, the these these are social engineering scams. There. They're little ploys designed to trick

you into giving away your personal information. Yeah. And the bait that they use, which is part of why it's called phishing, is uh, it usually plays usually plays upon your baser personality traits. Let's say like greed. That's a big one. In fact, that's probably the main one, but other ones like Vanity also play a part in certain uh phishing scams. So let's let's talk about a couple I wanted to talk about probably the best known scam, especially when it comes to email scams, which is the

Nigerian email scam or the four one nine scam. Well, you know, I was actually contacted by somebody in Nigeria. Yeah, and they said if I just gave them some personal information, they would uh millions of dollars. Yeah, that's that's the basis for this scam. Now, the original scam was not a phishing scam originally it was it was just so that you would send them money, so you would wire this person money directly, um. But they would not have

access to your personal information, just your money. So hey, there's a bright side, right. But they they have kind of evolved since then, and often you will find these these um emails. Uh. They're called Nigerian scams because a lot of them do seem to originate from Nigeria. UM, not all of them. They could be from anywhere. It's just that's the name they've been given. And the claim is that there is an enormous sum of money that

they're trying to get. This person is trying to get out of whatever country they're in, and they want to use you as an accomplice to hold onto this money. And you get to keep a portion of that money as as part of the deal. And as the deal goes on, things start to mess up and the person says, oh, you know, um, I've got to bribe this this official. I'm gonna need a thousand dollars from you so that I can bribe this person and then we'll be able

to get you the millions and millions of dollars. And with that promise the millions of dollars, lots of people are willing to part with substantial sums of money thinking they're gonna get practically something for nothing. And there are people who have lost hundreds of thousands of dollars in these scams. That's true, Um, and uh, it's it's kind of impressive the list of people who have gotten caught by these scams, including Harvard professor a few years ensnared

by one of these these ploys. Um. They actually found out he had been embezzling a little bit himself, and well he lost it all when he sent it to Nigeria. Right, Yeah, this' it's it's one of those things that just um it's it's just evil, evil scheme that that has taken lots of money from people who were a little naive and a little greedy and way too trusting, so less than one. Don't trust everything you see on the internet. Um, that's that's probably the best thing to keep in mind while

we're talking about all these fishing schemes. You know, like the old thing goes, if it seems too good to be true, it probably is. Yeah, definitely, But um I always one of the one of the sort of asides for this part of the h our discussion is, um the people that have started counter scamming the scammers, which

just tickles me. No end there there. You can do a quick search on the internet and you can find people who are uh they respond to these scammers and they'll say, well, sure, you know, I'm happy to help you out, but first I need this from you, and

they'll make them do these elaborate things. I saw somebody who made them carve a commodore sixty four out of wood and send it to them, and they showed pictures of it and it was amazing, right, So the people on the other end of the scam can sometimes be just as naive as the people they're trying to to lure into the trap and to get back into the

fishing thing. The Nigerian scam, the way it's evolved is is instead of asking for money, they'll ask for things like your social Security number or your bank account number. And then once they have that in for nation, that's when you're really in trouble because not only will the siphon out all the money in your account, but they

might also make you a a victim of identity theft. Um. That's the that's the main goal for probably most of the phishing schemes online, I would say is is some form of identity theft, usually some sort of credit card fraud or um or just outright theft of whatever's in your bank account. I use a m I use a web mail uh, pretty standard, well known web mail service

for my main email account. If you look at the spam folder, it's pretty obvious that these things are scams because I honestly, every time I look at the spam folder and then it'll be a full folder. You'll see probably about a third of those have similar or the

same exact uh subject headings. Um, and they'll all be you know, please or help me with my problem or you know, bless you you have uh, you have the way to help my you know, situation out and you're don't looking at your going okay, obviously there's something going

on here. And you know, bank accounts, they'll say, you know, I'll get letters from banks that I never have had an account with saying you must update your account information as soon as possible otherwise, you know, or PayPal, you know, And I'm going, yeah, no, I know, you're not real That thing is they've gotten really sophisticated. They're getting a lot better but fewer spelling mistakes and things and including your name and things that might have clued you in before.

Are they're yeah, they're fine. They're starting to starting to close those holes that that were that were in the their approaches before. Um. You mentioned the bank thing. That's actually a very good point. Uh. That's another one that plays on not so much a negative personality trade, but it plays on a person's fear. Yeah, you know, because if you get a message that's from your bank account or your your bank and it says, uh that there's

a problem with your account. Obviously you're going to immediately want to try and address this problem. And um, the there's a kind of a sister technique to fishing called farming also with a pH which uh spoof's a website. The goal here is to create a website that looks identical to a real, um, respectable, legitimate website, so a bank will say that's a good example. Um, but the goal is not to let you access your account, but rather to collect user names and passwords. And uh, it's

the same sort of end goal as phishing. It's it's collecting all this information and then just stealing everything you can possibly steal. Um, these are these are kind of scary things. I mean, that's really and anyone can fall victim to it. Uh. It's very easy to read one of these emails and get emotionally involved and act before you can really think things through. Yeah, and there's them. There's some ways that you can kind of tell that

these these fights are real or not. You should always look when somebody tries to get you to go to one of these sites, take a look at the u R l UM and that's that's gonna be one of the first clues because a lot of the fishing UH emails that you'll see, we'll ask you to click on this link and if you mouse over it, you know, just hold your mouse cursor there and look at the

the location for the site. A lot of times you'll see that it doesn't even have the name of the site that you're supposed to go to in it, So, um, that's a pretty good clue right there. Or they'll it'll be the name hyphen something else and you'll go, Okay, this seems a little odd. You want to see if the website has security that usually you can tell that by either looking for the little lock icon or the h T t P s in the u r L.

Keep in mind that both of those can be faked. Um. You can even create a fake website that has a fake u r L that looks just like the real one. Um. There's a nasty, nasty attack called it donain domain name server poisoning where you can um spoof the whole thing, and that that's probably the scariest of all of them, because in most of these cases, a good point of advice is instead of clicking on a link to take you to whichever site you need to go to, like

let's say Amazon or PayPal. UM, you type the address in instead and that way you don't have to worry about a link redirecting you to another site. However, with the d NS poisoning, it is possible to full computers so that even if you were to type the address and you will go to the farming site instead of the real site. UM. Not very widespread, but it is possible. This is one of those major major uh uh security leaks that came out over the to the year two

thousand eight UM. Unfortunately, right now it hasn't become a major problem. It's just the potential for disaster. So um. Yeah, the fishing and farming, these are these are things that you definitely need to look out for. And there's some other general rules. If you ever get a message from your browser saying that the certificate it's asking for does not match the u r L, that is a huge warning that you should never agree to accept a certificate.

If it's gives you that message, that's pretty good indication that you are you're in a farm farmed site, that's true, and you can It will usually tell you specifically what that u r L is. And if you look at that and that pop up window that you'll get, you're gonna see that the u r L doesn't necessarily match. And in some cases it will make sense to you, um, you know, there are some legitimate cases where it might

be a little different. Um, but you should be able to look at that and puzzle it out for yourself and go that you know, does not make sense to me that this would go to this u r L. I don't think this is safe. And there are some browser uh you know, the newer browsers have some phishing anti phishing technology built into them. Yes, yeah, that's true. And we should also go ahead and move on to we were going to talk about some social networking sites

recently that have had some issues with uh, with phishing attacks. Now, these are a little different, uh, and it's a it's a step further away from any money. You know, you're not you're not logging, you're not giving someone the information to your bank. However, if someone fishes your information from a social networking site, they may end up getting a password that works for other websites. If you're the kind of person who creates the one password and uses that

for everything. If you get tricked once, that means your information is is vulnerable everywhere you go. UM. So that's one of the good reasons to make sure you use different passwords for different websites, which is a pain. I know it's a pain, especially if you have a lot of websites you go to. That's really important to do if you want to remain safe online. That's true. And there are some pretty sophisticated UM password storage sites that are available now UM and UH. Some of them will

help you manage your your logins. They'll plug in, they'll offer a plug in for things like Firefox browsers like Firefox, you can plug it in and it will when you go to a site. It will allow you to store

UM passwords. And some of them will even allow you to generate uh new passwords, so it'll be you know, you you can generate something with lots of different upper and lower case characters and numeric things and and basically help you to come up with something really tricky UM and you won't necessarily have to remember it because the plug in has it stored for you. Right and UH.

Going back to social the social media stuff, UM, Facebook and Twitter both have had some problems with phishing attacks recently, and recently I mean the end of two thousand and eight and beginning of two thousand nine. Um. Facebook, Actually one of my friends on Facebook was victim to this. Uh. He he was suddenly sending out all these messages to people saying, Hey, you know, you look really funny in this video. I can't believe you did this, blah blah blah.

And then there's a link, and the link takes you to a site that looks like a video site, and it tells you, Hey, you know what, you need this plug in in order to play the video. Click here. And if you were to click there, you would immediately download some malware onto your computer. And so uh, in this case, it's not necessarily to steal your information, but it was a malware delivery system which could theoretically also

helps steal your information. It could be a key logger, it could be a trojan, ums, all sorts of things, nasty things that could happen to you by following these links. So we did let him know that his account was compromised, and um he ran some software and he changed his past words and things seem to be okay with his account now, but I've seen that happen two or three

other times with other people. And the pernicious thing is on Facebook if you haven't used Facebook before, if you're posting something to somebody else's what they call the wall, right, Um, you have to be a friend of that person is in order to do that. So there's already that that

aura of trust going on. You say, well, this must be legitimate, you know, And and even though there may be spelling errors or the grammar they use may not be the same way that this person would normally write to you, you might say, well, you know, obviously it's not somebody else because they're writing on my wall, so it must be legitimate. Well, that's the thing is those people are falling prey to the fishing attack, and then other people fall prey to it, and that's social engineering,

right Yeah. Twitter was very much the same way. Um, a few Twitter accounts were compromised and in a way that as of the recording of this podcast, we're just not sure exactly how the the initial uh takeover happened. But after that, direct messages started going between Twitter users and and and just like in Facebook, to send a direct message, and Twitter you have to follow the person you're sending the message to and they have to follow you back. It can't just be a one way street.

It has to be you know, mutual following. Then you can send a direct message, which is a private message. It doesn't go on the public Twitter broadcast. And these private messages said things like, oh, you won't believe what this person said about you in this blog, and you know, being the kind of vain people we are, we Twitter users, I include myself in that. Yeah, but in particular people who use Facebook and Twitter. There there's a few studies that suggests that such users have a little bit of

a narcissistic tendency. Um well, you feel inclined to click on this, and of course that ends up delivering malware to your computer. So um yeah, these are We're probably gonna see a lot more of these, especially as people, you know, think people who think it's funny. Like the Twitter stuff. A lot of the things I saw were just people messing with other people's Twitter accounts so that they were making them say ridiculous and you know, scandalous

things and completely untrue things. But they weren't using it to necessarily steal information. They were just making a nuisance of themselves. We'll probably see more of that too. Yeah.

As a matter of fact, Um, there were several high profile accounts that were hacked right on the heels of that fishing scheme, like President elect Barack Obama and Britney spring Spears Fox News, Rick Sancho said, Rick Sanchez from CNN, I believe Rick Sanchez claimed according to his Twitter account that he had taken some crack early in the morning and was kind of flying high at the time. Yeah, yeah, that was not that was yeah, that was a bad one. Yeah,

and patently, you know, completely untrue. Yeah, it was not Rick Sanchez, it was whomever had taken over his account. But apparently in that case, Twitter founder Biz Stone said that there were some tools, administrative tools that had gotten hacked into right that would allow someone to access passwords, and there were thirty three accounts they haven't divulged at this time at the time of us recording this who

all was hacked. But they were all famous people with lots of lots of I mean, they were the obvious targets. And um, yeah, this is uh, And so don't think that President elect Obama saw Hey, see what this crazy person said in the blog about you and then clicked on it. That's not the case. In this case, he was he was targeted specifically by the hackers. This wasn't one of those things where Obama is just like I

wonder what this blogger did say about me. Um. So, just to clear that up, I wanted to talk very briefly about what you should do if you are the victim of a phishing attack. Okay, so, there are a few different websites you can report a phishing attack to. One of them is the anti phishing dot org website, and you can send an email to report phishing at

anti phishing dot org. Um. You can also send an email to the Federal Trade Commission, which is UH that the DEMAI address to send that too would be spam at u CE dot gov. And you would probably want to file a complaint with the FBI UH at their Internet Crime Complaints Center which is at www dot i C three dot gov. And it's important to let these these organizations know so that they can let everyone else

know and investigate. Meanwhile, you should also immediately contact the three big credit bureaus so experience Equifax and TransUnion and get ahold of your credit report, take a look at it, see if there's anything strange on their report the fraud

to them. UM, if you have evidence of fraud, you should use that so that you can get the fraud alert extended over the maximum amount of time, because standard time for a fraud alert is ninety days, and the problem with that is someone could still be using your information after those ninety days and you'd really be stuck.

So if you have proof of fraud, you can get that extended up to I think seven years, UM, which you know it sounds kind of crazy, but you know we're talking about your information that can affect your credit rating, whether or not you can buy a house, whether or not you get a job. I mean, this is important stuff. UM. And also report the crime to local law enforcement. Uh, if it happened, you know, if it happened while you were at home, of course, that's you know, you report

to that local law enforcement. If you're on vacation, whatever, you report to them, um, just to let them know what had happened. That kind of covers all the bases. You may have to sign some AFFI David's to make sure that you know you're what you're saying. You're you will stand up in court and defend and say this is exactly what happened. But that's a small price to pay considering. Yeah, I think so. And uh, you know, this is as Jonathan said, this is not something that

you want to take lightly. Just use your common sense. UM, avoid clicking on links that that don't appear to be correct. UM, go directly to the source if you can to define it. UM. Use the latest web browsers to uh that incorporate the anti fishing technology. UM. All these things will help you help you avoid being sucked in. And uh, it's amazing to me how many of these deep sea analogies we have. Now we've talked about trolling and fishing. So yeah, it's

so don't be a prawn. You know what else? Nice? Nice piracy? Right, So we've got a whole seafaring thing. Guy. Yeah, well I think that about wraps it up for this discussion, don't you. Yeah. Excellent. If you want to learn more about some of the things we've talked about, we've got articles on online crime, we have articles on uh safe web browsing. You can fishing fishing, both the PHM and f I believe you can find out all about that at how stuff works dot com right now, and we'll

talk to you again really soon. We're more on this and thousands of other topics because it how stuff works dot com. Let us know what you think. Send an email to podcast at how stuff works dot com. Brought to you by the reinvented two thousand twelve camera. It's ready, are you