1. Recommended for all Operating Systems, but absolutely essential if you are using Windows 2000 or XP, you should use a FIREWALL. Windows XP has one incorporated, although you must ensure it is activated on each of your connections. If you are using an earlier version of Windows then you can download a good firewall solution from ZoneLabs called ZoneAlarm. The basic firewall is free for non-business use.
2. Regularly update and run a decent Anti-Virus solution to check your system for viruses and to scan incoming mail
3. Use a solution such as SpyBot Search and Destroy to check for spyware on your computer. It's free and a superb piece of software
4. Don't open suspicious files that are mailed to you, even by friends, unless the email is personalised and explains to you exactly what the contents of the file actually are. Infected machines regularly mail out to complete address books in manners such as 'Hey - open this e-card. It's cool!' Most people sending genuine email will actually sign off with their real name or nickname. If incoming mail doesn't have this kind of personalised touch then be extremely wary of opening it or mail the sender back to clarify the contents of an attached file.
5. Be especially wary of email from people who don't know you and attach files. There are many variations including mail purporting to be from the FBI about the recipient's internet usage 'From: abuse@gov.us / To: you@youraddress / Subject: Internet Provider Abuse / Text: I noticed that you have visited illegal websites.See the name in the list! +++ Attachment: No Virus found' (but of course the attachment was actually a virus), from banks and ISPs about account details, companies about fake orders and all manner of other methods designed to dupe you into opening attachments. Of course they are not really from the purported sender but inserting incorrect information in an email 'From' field is something anyone or any virus can do.
6. Stay away from dubious websites. The best case scenario you could hope for would be some iffy tracking cookies. The worst case scenario is inadvertently installing a dialler (nice phone bill!!) or keyword logging software (Here world! Have the details of everything I type - credit card numbers, emails, passwords etc etc!)
7. You may even receive attachments purporting to come from you own domain name. If you receive a mail in a format similar to the following 'From: admin@yourowndomain / To: yourmailbox@yourowndomain / Subject: Your Password has been successfully updated / Text: please see attached files for details,' then you know for sure it is a nasty. As you are both domain admin and the user you obviously didn't send this to yourself but the virus that lifted the 'yourmailbox@yourowndomain' part from the temporary internet files or mail client on someone else's infected box isn't to know that.
8. Be wary of using P2P file sharing networks. It's a completely outdated perception that viruses only spread through email. Many of the viruses in 2004 were ones that sniffed complete subnets looking for open ports on vulnerable computers. Music sharers around the world found that their unpatched, non-firewalled systems were compromised in the millions.
9. Regularly update and patch your operating system. In most cases this will be Microsoft Windows of one flavour or another which can be updated at microsoft.com. Just click on 'Windows Update' or have it automated to synchronize at regular intervals when you go online. Many MS Windows viruses can be avoided if a user has patched the particular recently discovered vulnerability that new viruses will exploit.
Avoiding Spam (Unsolicited Bulk Email)
1. Don't post your email address online. Spam merchants utilise scripts that crawl webpages to indiscriminately lift out email addresses that are found on webpages. This applies to message board forums and the likes aswell. If you must post an address in a forum then the best option is to literally spell it out in a manner such as 'user *AT* domain-name *DOT* com' or 'user@domain-name.DELETETHIScom' where a human can work out the address but a bot can't.
2. Don't subscribe to mailing lists if they are not provided by reputable sites. Remember to tick the box that says something along the lines of 'Do not pass on my details to third parties' if you are signing up for anything online
3. If you register domain names try to use a separate email address for the WHOIS information as many spam merchants lift email addresses directly from WHOIS lookups
4. Apply whatever mail filters are available on your email account in a way that suits you best. Remember though that much legitimate email, such as that from banks, mailing lists you did subscribe to and other machine generated mail can be interpreted by higher filtering settings as 'spam' so you should regularly check your spam box to ensure that email you do want isn't being thrown into it.
5. DO NOT use the 'unsubscribe' link that appears in spam if you never subscribed to receive such communications in the first place. This is perhaps one of the most common mistakes that causes people to increase the quantity of spam that they receive. All you will in effect be doing is confirming to a spam merchant that a) the mailbox is live b) it is regularly checked and c) that the recipient actually reads unsolicited mail. You are an ideal candidate to receive more not only from the one to whom you replied but every other spam merchant to whom they sell-on their lists. As a confirmed address you have also increased the value of your mail address to them, thus financially benefitting them further. As a footnote it is useless to email the purported sender of spam to rant at them for mailing you lots of rubbish. All you will do is antagonise another innocent internet user, since in 99% of cases the 'From' field will be forged.
6. Use an ISP that subscribes to what are known as 'Block Lists' which will refuse all email originating from IP addresses that belong to networks known to be 'spam' friendly. No reputable company or site should knowingly be hosted on IP addresses belonging to or controlled by spam gangs
7. DO NOT be tempted to utilise spam for your own sites or buy goods / services from sites that use spam as a marketing method. Only if nobody buys the goods spamvertised will spamming become a futile exercise and the deliverers of such begin to move onto other things. Remember that many spam merchants, whilst claiming the legitimacy of their mailings, have built up small fortunes having moved into the field from other criminal endeavours. It is NOT a victimless exercise. The victims are every single legitimate mail user and if not combatted it seriously threatens the whole effectiveness of email as a communications tool. Spammers are nothing more than cynical abusers of other individuals' rights. All kinds of unsolicited bulk email should be regarded as 'spam' not just that directly selling goods or services. Any kind of email sent out unsolicited in bulk IS spam. Make no mistake about that. Raising awareness of a free site, spreading a message or anything else that doesn't actually solicit payment is STILL spam if sent out in bulk and without the permission of the recipient. An example of this is Robert Soloway's SPAMIS rantings against Microsoft. Mr Soloway's 'Newport Internet Marketing Corporation' has been responsible for some of the worst abuses of mail systems and bulk mailings known. His bitterness stems from finally being taken to court over it. In typical spammer doublethink he has decided to whinge to the world by, guess what, spamming the world. The mail does not attempt to lure you into visiting a site or buying a product but it is still spam, nothing more, nothing less.
Avoiding Phishing
eBay / PayPal, High Street Banks, AOL and a host of other large companies have been targetted by so called 'Phishermen' over the years. The spelling, incidentally, comes from what was known as 'Phone Phreaking' back in 70s USA, cloning and then billing services to genuine unsuspecting phone users' numbers. In a modern version you may receive an email similar to one of the following
1. 'eBay Member, 00-34232553-003319858-JJSJ-091832. During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information. This might be due to either of the following reasons: 1. A recent change in your personal information ( i.e. change of address). 2. Submitting invalid information during the initial sign up process. 3. An inability to accurately verify your selected option of payment due to an internal error within our processors. Please update and verify your information by clicking the link below: http://220.69.240.201/verify.html' This is obviously the most crude and most likely to be spotted by even the inexperienced as the mail was text only and there was no attempt to even hide the true URL that the victim would be sent to.
2. The following, however, looked like an official communication, complete with logos and company information etc. and, the hyperlink referred to, actually purported to be a PayPal one although of course it actually linked to somewhere else. 'Dear PayPal Member,Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your PayPal account and to ensure a safe PayPal experience. We require all flagged accounts to verify their information on file with us. To verify your Information at this time, please visit our secure server webform by clicking the hyperlink below.' The mail logos may well look authentic (they are often actually called from the genuine website) and the hyperlink looks as if it will take you to part of the authentic site, but of course it takes you to a wholly unassociated page (again of course masquerading as the site in question complete with logos etc) where you will be prompted to submit your details
3. Recently, however, the most common and most sophisticated ones follow the pattern of these below soliciting information from users of UK banks. The whole email consists of an image (helping avoid spam filters) and the link that is shown AND a mouseover matches it does appear to be about to take you to a secure area of the genuine site. However, by use of a redirecting script, it still takes you to a page wholly unassociated with the company (of course again masquerading as the site in question) where you will be prompted to submit your details. In the most sophisticated of all you may be tricked even further by the site you are sent to modifying your browser, hiding the URL line and inserting an image at the top where the page's true URL should be containing an address at the legitimate site. Other variations included an exploit in early 2004 of a vulnerability in Internet Explorer, whereby 'The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window.' Quoted from http://www.microsoft.com/technet/security/Bulletin/MS04-004.asp. This was addressed in MS04-004: Cumulative Security Update for Internet Explorer
The origins of the numerous examples above are diverse including Eastern Europe, China and the Far East. Often linguistic mistakes can alert even the most inexperienced of users, one almost laughable example being this phishing attempt 'Hello dear client Barclays Bank. Today our system of safety at night has been cracked!!! It not a joke!!! It is the truth!!! We ask you, in order to prevent problems, to repeat registration of your data. Make it very quickly! Administration Barclays Bank.' In truth wishing with sincere that no person had be falling for this email particular non-honesty!!!
REMEMBER: If you receive an email from any organisation that you deal with requesting you to update your information or account details then DO NOT follow the links contained in the email. Login to your account directly at the site, using the URL that you normally use to check the status of your account. Most reputable companies will not request you follow links in their emails when you need to update sensitive information specifically due to the issue of phishing. Other safeguards against phishing should be covered by the 'Avoiding Viruses' section above to prevent Trojans (these can be used to exploit vulnerabilities and open a backdoor or take system screenshots of sensitive details, such information then being relayed to the fraudsters) and also to guard against spyware such as keystroke loggers, which will again relay information back to those responsible.
Avoiding Scams such as 419 (Nigerian Scam)
1. Nigerian Mail Scam - If you have never received one of these emails then you are either extremely lucky or a new user. Anyway, if you don't know what the Nigerian or 419 Scam is (named after the appropriate section of that country's penal code) then here is how it begins. You get an email beginning something like this 'I am Mr.Jack Jogbe,the Auditor General of a bank in Africa,during the course of our auditing I discovered a floating fund in an account opened in the bank in 1990 and since 1993 nobody has operated on this account again,after going through some old files in the records I discovered that the owner of the account died without a [heir]' and it continues offering you a substantial share of the account's tens of millions of dollars if you will assist in the transfer of this money out of the country in question, be it Nigeria, Ivory Coast, Zimbabwe or wherever. There are now thousands of variations of this mail, some with laughably bad spelling and grammar, many containing links to supposedly substantiate their claims of the accident in which the 'deceased' died or the turmoil of the country. All will request you send an email to the individual, call them on a 'secure' satellite or cell phone, provide your own personal details and the likes. Whether the scam is to get you to furnish your bank details early on to 'facilitate the transfer' in which case it will be cleared before you can type '419' or to get you to actually send repeated funds to cover the initial 'costs' it is still the same, a scam to reel in the gullible. Sure have a laugh at the creative scenarios they have invented, the sycophantic language in which they implore you to 'keep this transaction in total confidence' but at the end of it JUST IGNORE IT
2. Online Lottery Winner Scam - Your email has been fortunate enough to share in a European Lottery fund. You only need to contact your claims representative in order to get your hands on your part of the booty. The only problem is that you never actually participated in any lottery. As money doesn't fall from the sky to random email addresses in this manner you should already suspect that this is a scam. Of course there is no prize fund. All that will happen is that you are duped into handing over a substantial 'processing' or 'representative' fee before your 'claims representative' and all traces of the 'lottery' disappear into the ether along with your hopes of receiving a penny.
Avoiding Over-Payment Rebate or Foreign Company Representative Scams
This is a scam that involves moving money to individuals in foreign countries around the world by methods such as Western Union. Whilst the two examples shown here may at first glance appear to be unrelated scams they do in fact share the common goal of duping you into sending funds you may believe you have already received out of the country, only to then discover that the accounts you were paid from were being fraudulently used, be it by cheque, PayPal, bank transfer or whatever.
1. Over Payment Rebate - You are selling something online at £1000 say (be it on eBay, through a classified site or even your own online store) and a foreign buyer contacts you to enquire about the item in question. You agree to ship the goods abroad or even for someone in your own country to collect them on the buyer's behalf. The purchaser then informs you that someone else who 'owes them money' will be making payment to you and a cheque arrives for more than the cost of the item, say £3000. You are requested to forward the balance (in this scenario £2000) on to the foreign purchaser. The only problem is that the cheque, credit card or PayPal payment you have accepted is worthless as it is using stolen account details. You end up with a charge back for the full amount, but by this point it is already too late; the 'balance' has been sent out of the country. Even in scenarios where the goods are supposed to be collected by 'a friend' they rarely are; the fraudsters are primarily interested in the cash and would prefer to keep themselves at a safe distance from the person or business being scammed. If you actually agreed to ship the goods and rebate to Lagos, say, then you lose out doubly. Your money and your goods are gone, not forgetting that you will be embroiled in the ensuing police investigation not just as a victim but as a facilitator of the fraud aswell.
2. Foreign Company Representative - A foreign 'company' contacts you by email claiming that it is looking for representatives in your own country who can take payments and transfer funds back to them for goods that will be ordered online from them by individuals with bank accounts and residence in your own country. You will have no dealings with distribution or the likes and will be given a generous 15% commission for your time. You will receive 'payments' which are in fact merely stolen cheques or bank transfers using stolen information. You will be asked to forward thsese payments minus your 15% commission. If you accept the offer then the domestic payments begin to roll in thick and fast and you forward 85% via Western Union or wire transfer to a foreign individual or account. However, this is NOT a real job offer at all. There are NO goods being moved and no real customers. When the police come knocking on your door you realise that you are part of an international fraud. In this scenario you would be regarded as a facilitator of this fraud and most likely prosecuted accordingly. As complete payment went to you in the first instance you would be liable for the full amount of all monies received in addition to facing a criminal conviction. Gullibility would be no defence in this scenario.
Last updated June 2005