Wednesday, January 04, 2006

Avoiding phishing scams; warning on fund distributions

There are no typos. The language is plain and straightforward, not stilted and almost drunken. The situation seems plausible.

The e-mail I received yesterday from "Amazon.com" about my account and an "Amazon Payments Billing Issue" included just one clue and it went like this: "After responding to the message, we ask that you allow at least 72 hours for the case to be investigated. E-mailing us before that time will result in delays."

Had I responded to the message, the bad guys who were phishing for account information wanted three days to be able to get away; no company of which you are a legitimate customer would ask for your help clearing up a payments issue but then tell you to avoid contact. The fraudsters trying to commit some form of identity theft knew that contacting Amazon directly would lead to their plot being foiled.

But they almost had me fooled, and I see these kinds of e-mails all the time.

"Phishing" is a criminal activity involving fake e-mails and bogus Web sites, trying to bamboozle consumers into revealing personal financial data. While the ploy started with banks and credit-card companies, it has evolved to retailers and almost any other business that takes credit or personal information online.

The tactic is particularly pervasive now, in the wake of the holiday season, in part because consumers are more vulnerable due to recent purchase activity. In my case, for example, the note appeared more real because I recently made my only Amazon purchases of the last 12 months.

That use of the account, plus the note suggesting that there had been unusual activity on my account, was just enough to get me to wonder. The rest of the information was clean enough that it looked real, except for the 72-hour comment.

Amazon subsequently confirmed that the note was a fraud.

Personally, phishing notes always have been easy to spot. The header on the e-mail will warn of the suspension of an account from some company I don't do business with; on the rare occasions when it has been a retailer I have purchased from in the past, there are obvious problems, like the sender has an address from a service provider like Hotmail, instead of, say, Amazon.com.

Because phishing expeditions frequently are run offshore, they often are written in a strange version of English, using phrases like "We earnestly ask you to use this connected link to commence the process of customer data confirmation."

When the note is trying too hard to sound official, when it calls you "customer" instead of by your name, when the link has an address that appears strange, you should get nervous.
In fact, if the e-mail includes your name, that's no guarantee either.

Rather than following up on this kind of notice -- no matter how official looking it might be -- contact the company directly, through normal channels. Ignore the links and go the real site -- entering the address yourself -- to look at your account activity, review the company's policies and forward the e-mail to an address you find on the site to inquire if it's real.

The bad guys are getting more sophisticated and their attempts are getting better. That's trouble for the rest of us, and should force all consumers to raise their attention to details to keep their vital personal information safe.