I wonder about all this uproar about phishing. It isn't anything new, after all, it's been going on since credit cards came on the scene. The traditional scheme has been a standard letter purporting to come from the company, asking you to fill in the enclosed form and return it to the company in a provided envelope. Later it became a phone call purporting to be from the company, asking for an update to information. In both cases the solution was simple and the same: never respond to a communication someone else initiates. If it's a letter, return the information using your own envelope addressed to the customer-service address that comes in your regular bill. If it's a phone call, hang up and call the customer-service phone number in your regular bill. In both cases this will insure you're talking to the company you think you're talking to, and if the original communication is really real they'll know what you're talking about and be prepared to help you.

The same thing applies to phishing e-mails. If eBay is asking you to confirm your account information, ignore the links in the e-mail and go to eBay's site directly (either by typing their URL in or using your bookmark) (note: DO NOT type in the link given in the e-mail, use the normal URL you would've if you hadn't received the e-mail) and log in to your account. If you really need to update or confirm your information, then it'll say something about it on either eBay's home page or your account home page. When you do this, you completely eliminate the phisher's ability to direct you to his site.

One simple rule: never ever give out personal information to someone if they initiated the communication or if you're using a contact they provided. Always initiate the communication yourself and use a contact point you already had and know is direct from the real entity you want to communicate with. How hard is this rule to follow?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/9235/27732#27732