By David Gewirtz
Before we begin our story, we want to be clear: this is must read article.
Hurricane Katrina was a devastating disaster that will be felt by many for months and years to come. Our best wishes go out to the victims in Louisiana, Mississippi, and Alabama. Like many of you who weren't in harm's way, we felt an almost overwhelming need to help, to do something. The generosity of Americans and our friends in other countries is nothing short of astounding.
Unfortunately, another group of people watched the disaster. These folks didn't feel an overwhelming need to help. These folks sought to feed on the generosity of those who care. These people are the phishers. If you're not careful, these phishers could do you considerable harm while you seek to do good.
"Scammers launch some 14,000 schemes a month."
Let's define some terms so you know what you're dealing with. According to the Anti-Phishing Working Group, made up of members like VISA, Mastercard, Experian, Microsoft, Verisign, Adobe, GeoTrust, and others:
Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.
Social-engineering schemes use 'spoofed' emails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond.
Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Pharming crimeware misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.
What does this mean? Well, in the last few weeks, many of you have received email messages from the American Red Cross asking you to donate to the Hurricane Katrina relief efforts. If you opened the email, you might have seen a URL for the American Red Cross. You might have clicked on that URL to be taken to a page that looked like the American Red Cross home page. And you might have clicked on the Donate link and given your credit card number.
You would not have made a donation. Instead, you would have started your own personal nightmare. For the email was not from the American Red Cross, the site was not operated by the American Red Cross, and your credit card number most assuredly was not in the hands of the American Red Cross.
